Re: Trouble running a select query against a database, when I know the connection is working, and the data is there

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I know - used to deal with/handle SQL injection prevention quite a bit in old days - and think have already got one or two code samples for counteracting it in PHP/MySQL, and they would generally be kept in functions in a general include file, to be included in all database accessing pages, and I would also generally not make too much use of querystring/get data passing in that sense either, but anyway...

One of the workarounds looked into in the past was where it would also just look like a standard <a /> link on a page, but where it would actually do a form of hidden form submission where hidden fields would be set with certain values, either dynamically hard coded, or set using javascript etc., which could also be worked around by submitting a form from another source, but it really also depended on the target production environment since while I know there are automated robotic SQLInjection implementations out there, they would still also be more likely to target websites that generate more traffic as such, etc. etc.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message ----- From: "James Crow" <james@xxxxxxxxxxxxx>
To: <php-windows@xxxxxxxxxxxxx>
Sent: Thursday, April 22, 2010 5:27 PM
Subject: Re: Trouble running a select query against a database, when I know the connection is working, and the data is there


On 04/14/2010 08:48 PM, Jacob Kruger wrote:
Thanks.

Will be honest, and while have played around with PHP etc., have never really done much with it in terms of going into production as such anyway, so, yes, will need to learn/figure out how to do things the best way, etc.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'
And while you are trying to learn good habits look at SQL Injection attacks. Using something like $_REQUEST['id'] in a query is just asking for it. Many of the PHP and MySQL tutorials I have seen barely mention this problem, if at all.

Consider if someone had sent your script a URL like this:
scipt.php?id='';DELETE FROM table tblLinks;
If the user running the mysql_query() function had the rights to delete rows on the tblLinks table, the tblLinks table would be empty.

Cheers,
James

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


__________ Information from ESET NOD32 Antivirus, version of virus signature database 5051 (20100422) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com





__________ Information from ESET NOD32 Antivirus, version of virus signature database 5051 (20100422) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux