On Wed, Mar 19, 2008 at 4:45 PM, George J <georgejamieson@xxxxxxxxxxxxx> wrote:
> Hi Daniel,
>
>
> > WHOA! Passing the SQL query via a URL is a Very Bad Idea[tm]!
>
> As a newbie I just have to ask why. I suspect you're going to say it gives
> the table and field names used in my database. I'm not really aware of all
> the possible avenues that this method might open up. It just feels wrong to
> include these details. This is the reason I've asked for help.
That's exactly what you should be doing, George. That's how you learn! ;-)
Not only are you giving away the schema of your database, but it
makes it that much easier to do VERY nasty things. For example, say
you access the file like so:
http://www.domain.com/path/script.php?query=SELECT%20*%20FROM%20table%20WHERE%20result='this'%20LIMIT%2020,%2030
I could change it to something like this:
http://www.domain.com/path/script.php?query=SELECT%20*%20FROM%20table%20WHERE%20result='this'%20LIMIT%2020,%2030;DELETE%20FROM%20TABLE%20WHERE%201
And your database table is gone.
> The form part of the script works fine so can we ignore that or does it
> impact on the pagination code that I'm having trouble with.
As long as you sanitize anything sent to the database, I'm sure
it's fine. Check out mysql_real_escape_string() for more on that:
http://php.net/mysql-real-escape-string
NOTE: If you're using mysqli, you don't need to add
mysql_real_escape_string() because it's already handled automatically.
--
</Daniel P. Brown>
Forensic Services, Senior Unix Engineer
1+ (570-) 362-0283
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
