SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Thread: $_POST Question

  1. #1
    SitePoint Member
    Join Date
    Nov 2008
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile $_POST Question

    I am a student and having problems in PHP answering these 2 questions:

    Question 1:
    A common way of building and executing a SQL statement that requires information to be supplied at run-time is to use string concatenation. For example, in PHP, the code might be:

    $pubId = $_POST[“PubId”];
    $sqlString = "SELECT title, name FROM books, publishers WHERE books.publisher_id =".$pubId;

    $sqlString would then be used in the appropriate function to retrieve data from a database. This is a valid approach, but there are problems with using it in web-based applications. What are the problems and what are possible solutions? You are not expected to write any program code here. A general description of possible solutions is acceptable.


    Question 2:
    A PHP script contains the following section of code:

    $firstName = $_POST[“firstname”];
    echo “Hello $firstName”;

    Where “firstname” refers to the contents of a text entry field on the form that caused the PHP script to be executed when the submit button was pressed.

    a) Describe, ideally using an example, why such code can leave the web site vulnerable to malicious attacks.

    b) How would you fix this code to ensure that the site is not vulnerable to attack and how does your fix solve the problem?

  2. #2
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,276
    Mentioned
    119 Post(s)
    Tagged
    1 Thread(s)
    Not to be rude, but you don't really expect us to do your homework for you, do you?
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  3. #3
    SitePoint Member
    Join Date
    Nov 2008
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are right, but i am really confused in this one, i have got on the internet and searched the differences it has between the POST GET and REQUEST, but i think the POST has more advantages in most of the cases, but a small help would be great. thanks

  4. #4
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,276
    Mentioned
    119 Post(s)
    Tagged
    1 Thread(s)
    OK, I'll give you a hint. The two questions have nothing to do with the use of $_POST - the problem exists both with $_POST and $_GET.

    You're looking for info on security and php (actually sql and php).
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  5. #5
    SitePoint Member
    Join Date
    Nov 2008
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok thankyou very much, i got the main point now.

  6. #6
    SitePoint Member
    Join Date
    Apr 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you want to look at 2 things, normalizing the users input and database permissions.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •