Re: newbie.. $_GET & $_POST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo D Marotta wrote:
Hi there..
I need to pass variables to a page through an html link.
I do it like this:

<A href="Extra/excelListing3.php?buildQuery=<?php echo $buildQuery
?>">Export</A>

where 'buildQuery' is the variable I´m passing.

In the destination page, I capture it with $_GET and that´s it.

I want to know if there is any way of doing it without showing the variables in
the direction bar.

Hi Pablo,

The method you are using to send the query is not a very secure method (depending on how you run it.)

Based on the source code shown, I imagine you have something like this code in excelListing3.php:

$buildQuery = $_GET['buildQuery'];

somedb_query($buildQuery);

What this means is that someone who knows your database structure can type this into their web browser:

http://www.yourhost.com/excelListing3.php?buildQuery=DROP+DATABASE+yourdb

and your program will happily execute it.

Far better is to parameterize your queries and limit the possible input. By this I mean to define a few queries that can be executed, and give them numbers

<A href="Extra/excelListing3.php?queryType=export&queryVar1=<?php echo $queryVar1 ?>&queryVar2=<?php echo $queryVar2 ?>">Export</A>

switch ($_GET['queryType']) {
case 'export' :
$query = 'SELECT * FROM yourdb WHERE queryVar1="' . mysql_escape_string($_GET['queryVar1']) . '" AND queryVar2="' . mysql_escape_string($_GET['queryVar2']) . '"';
}


and so on. I am assuming here that you are using mysql, but simply substitute the appropriate escaping function for another database.

Web security hinges on ensuring that your allowed input is finite and verifiable.

Greg

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux