SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Wizard
    Join Date
    Nov 2003
    Location
    United Kingdom
    Posts
    2,120
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    is using $_GET[] in a sql query line a security risk?

    Hi,

    I was just wondering if using $_GET[] in a sql query line a security risk? If so, how is a better way of getting the information for the sql query?

  2. #2
    SitePoint Evangelist
    Join Date
    May 2004
    Location
    Germany
    Posts
    550
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it is quite safe if you do the following:

    PHP Code:
    if(get_magic_quotes() == 0)
    {
       
    $_GET['somevar'] = mysql_escape_string($_GET['somevar']);


  3. #3
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Never believe the user. use mysql_real_escape_string() to clean the data entered by user.

    something like
    PHP Code:
    $name mysql_real_escape_string($_GET['name']); 

  4. #4
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    just to clear my doubts, one quetion Daimaju

    don't we use mysql_real_escape_string() anyways even if the magic quotes are on or off. because it might put slashes before quotes but what about if user puts PHP code in their data.

    just confusing to me.

  5. #5
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can put as much PHP code in it as you like, it won't get executed. It will only get executed if you eval() user input or use preg_replace with the e flag.

  6. #6
    SitePoint Wizard
    Join Date
    Nov 2003
    Location
    United Kingdom
    Posts
    2,120
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jaswinder_rana
    Never believe the user. use mysql_real_escape_string() to clean the data entered by user.

    something like
    PHP Code:
    $name mysql_real_escape_string($_GET['name']); 
    I still don't quite get it.

    How do I make something like the following safe from hijackers

    select substring_index(Description,' ',25) as Description, Price from houses where apartments like '%$namecat%' AND Price >= $_GET[topmin] AND Price <= $_GET[topmax] order by $_GET[scrip] $_GET[order]

    I hope you can help

    Thanks!

  7. #7
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mysql_query('select substring_index(Description,' ',25) as Description, Price from houses where apartments like '%$namecat%' AND Price >= '.mysql_real_escape_string($_GET[topmin]).' AND Price <= '.mysql_real_escape_string($_GET[topmax]).' order by '.mysql_real_escape_string($_GET[scrip]).' '.mysql_real_escape_string($_GET[order]));

    Or
    foreach($_GET AS $k=>$v)
    {
    $_GET[$k] = mysql_real_escape_string($v);
    }

    If you're lazy. Using GET isn't a security risk, as long as you know what you're expecting in and you're doing proper checks (ie. if it's an ID, you're using is_numeric, if it's a shortenned state, you're using strlen($_GET['state'])==2, etc...

  8. #8
    SitePoint Wizard
    Join Date
    Nov 2003
    Location
    United Kingdom
    Posts
    2,120
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Thanks for showing me. But I have used the following, which is now making my results not show up.

    Could you please give me some info why this may be happening.

    Quote Originally Posted by someonewhois
    mysql_query('select substring_index(Description,' ',25) as Description, Price from houses where apartments like '%$namecat%' AND Price >= '.mysql_real_escape_string($_GET[topmin]).' AND Price <= '.mysql_real_escape_string($_GET[topmax]).' order by '.mysql_real_escape_string($_GET[scrip]).' '.mysql_real_escape_string($_GET[order]));

    Or
    foreach($_GET AS $k=>$v)
    {
    $_GET[$k] = mysql_real_escape_string($v);
    }

    If you're lazy. Using GET isn't a security risk, as long as you know what you're expecting in and you're doing proper checks (ie. if it's an ID, you're using is_numeric, if it's a shortenned state, you're using strlen($_GET['state'])==2, etc...

  9. #9
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Add quotes around the indicies, I didn't notice you didn't have them... also you'll have to leave quotes for $namecat to work and you're going to have escape quotes. Make it:

    like \'%'.$namecat.'%\'

    Instead of
    like '%$namecat%%'

  10. #10
    SitePoint Wizard
    Join Date
    Nov 2003
    Location
    United Kingdom
    Posts
    2,120
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've add quotes around $namecat like \'%'.$namecat.'%\'

    Where else do I add them. Also, at the moment after doing the \'%'.$namecat.'%\' my script is now producing a php error instead of a normall working page with no results.

    Quote Originally Posted by someonewhois
    Add quotes around the indicies, I didn't notice you didn't have them... also you'll have to leave quotes for $namecat to work and you're going to have escape quotes. Make it:

    like \'%'.$namecat.'%\'

    Instead of
    like '%$namecat%%'


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •