SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Wizard co.ador's Avatar
    Join Date
    Apr 2009
    Posts
    1,054
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Passing variable and building an sql ejection or put the variable?

    The variables below are passed into itemdetails2.php

    PHP Code:
    <a href=\"itemdetails2.php?id="$content['id'] ."&platename=".$content['platename']."\"> 

    In itemdetails2.php I pull the variables from the url making available through out the whole script in itemdetails2.php by:

    PHP Code:
    <?php 
    $shoename 
    =  $_GET['platename'];

    $id = (int)$_GET['id'];

    if( 
    $id === 0)
    {
        exit(
    'ID can only be an integer');
    }
    ?>
    After I make it available through out the whole script in itemdetails2.php I want to build a sql injection that takes the value of the variable $shoename and put it inside the OutputRating method parameter below


    PHP Code:
    <?php
          $ratingData 
    Rating::OutputRating('paul');
          
          if (
    Error::HasErrors())
          {
            echo 
    Error::ShowErrorMessages();
            
    Error::ClearErrors();
          }
          else
          {
            echo 
    $ratingData;
          }
        
    ?>
    Notice in the parameter it says paul instead of paul I want it to contain the shoename variable value in the url.



    [php]
    PHP Code:
    <?php 
    $shoename 
    =  $_GET['platename'];

    $id = (int)$_GET['id'];

    if( 
    $id === 0)
    {
        exit(
    'ID can only be an integer');
    }
    ?>

    <?php
          $ratingData 
    Rating::OutputRating('$shoename');
          
          if (
    Error::HasErrors())
          {
            echo 
    Error::ShowErrorMessages();
            
    Error::ClearErrors();
          }
          else
          {
            echo 
    $ratingData;
          }
        
    ?>

    is that correct to put $shoename variable in there just like I did in the last embed script?

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,501
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    Don't use quotes around the variable name.

    And 'mysql injection' is something else


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •