SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    masquerading Nick's Avatar
    Join Date
    Jun 2003
    Location
    East Coast
    Posts
    2,215
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Getting variables from URL, unsafe

    I am currently using a simple mode of getting the variables from the URL, like

    SELECT * from Table Where(What=$What) and having the url go like page.php?What=This

    Now a friend told me that somebody could just put in a DELETE statement and puff, all gone. He suggested something like:

    Code:
    $Query = "SELECT * from $TableName WHERE Side='" . mysql_escape_string( $_GET['side'] ) . "' AND Type='" . mysql_escape_string( $_GET['type'] ) . "'";
    But that does not work. Would that protect me from a delete statement, and if so, what is wrong with it?

  2. #2
    SitePoint Zealot
    Join Date
    May 2003
    Location
    Dover, PA
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should never just insert data that a user inputs into a query. You need to take the time to make sure data being input into the query is valid data. For example, if the type of data is supposed ot be a number, throw an error if it isn't a number.

    This is more of a PHP question than a Mysql question, really. I could tell you how to do it in perl using DBI which is relatively easy, but I don't do php.
    http://www.statgfx.com

  3. #3
    Hi there! Owen's Avatar
    Join Date
    Jan 2000
    Location
    CA
    Posts
    1,165
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You put it in quotes and escaped it (you can also use addslashes) so you're safe using your example query from all attacks. You shouldn't directly put in user input if you don't put the data in quotes (i.e. passing in a number) as dotcomguy said. But a sanity check on the data is always a good idea, nonetheless.

    There's no reason why the above query wouldn't work unless you made a typo in it... try echo-ing it to see if there is a problem.

    Owen

  4. #4
    SitePoint Zealot
    Join Date
    May 2003
    Location
    Dover, PA
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Owen
    You put it in quotes and escaped it (you can also use addslashes) so you're safe using your example query from all attacks. You shouldn't directly put in user input if you don't put the data in quotes (i.e. passing in a number) as dotcomguy said. But a sanity check on the data is always a good idea, nonetheless.
    Since this is a language non-specific forum, I might as well mention how I would do it . . .

    Code:
    # $dbh is an already open database handle
    # $input_data is POST or GET data passed to the script
    my $sth = $dbh->prepare('Select * from table where id = ?');
    $sth->execute($input_data);
    # Question marks are placed where the inputs go in the query
    # They are replaced by the script by passing them as arguments
    # to the execute() method of the DBI module
    http://www.statgfx.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •