Re: simple question abt convert to integer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Vitalii Demianets" <vitas@xxxxxxxxxxxxxxxxx> wrote:

>On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
>Holy Jesus!
>Can't wait to send to your server POST request with txt="1;DROP
>DATABASE; --"
>
>Of course, if you'll  switch to prepare statement instead of string
>embedding 
>there will be no much fun.
>
>-- 
>Vitalii
>
>-- 
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

Prepared statements aren't the only solution, a decent bit of filtering would work too. In the OPs example he only needed an int, so something like:

$val = intval($_POST['txt']);

Would do the trick. It just means that the value is safe (or at least in an expected range) for use elsewhere in the code, it may not necessarily only be restricted to a DB query.


Thanks
Ash
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux