I know - used to deal with/handle SQL injection prevention quite a bit in
old days - and think have already got one or two code samples for
counteracting it in PHP/MySQL, and they would generally be kept in functions
in a general include file, to be included in all database accessing pages,
and I would also generally not make too much use of querystring/get data
passing in that sense either, but anyway...
One of the workarounds looked into in the past was where it would also just
look like a standard <a /> link on a page, but where it would actually do a
form of hidden form submission where hidden fields would be set with certain
values, either dynamically hard coded, or set using javascript etc., which
could also be worked around by submitting a form from another source, but it
really also depended on the target production environment since while I know
there are automated robotic SQLInjection implementations out there, they
would still also be more likely to target websites that generate more
traffic as such, etc. etc.
Stay well
Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'
----- Original Message -----
From: "James Crow" <james@xxxxxxxxxxxxx>
To: <php-windows@xxxxxxxxxxxxx>
Sent: Thursday, April 22, 2010 5:27 PM
Subject: Re: Trouble running a select query against a database,
when I know the connection is working, and the data is there
On 04/14/2010 08:48 PM, Jacob Kruger wrote:
Thanks.
Will be honest, and while have played around with PHP etc., have never
really done much with it in terms of going into production as such
anyway, so, yes, will need to learn/figure out how to do things the best
way, etc.
Stay well
Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'
And while you are trying to learn good habits look at SQL Injection
attacks. Using something like $_REQUEST['id'] in a query is just asking
for it. Many of the PHP and MySQL tutorials I have seen barely mention
this problem, if at all.
Consider if someone had sent your script a URL like this:
scipt.php?id='';DELETE FROM table tblLinks;
If the user running the mysql_query() function had the rights to delete
rows on the tblLinks table, the tblLinks table would be empty.
Cheers,
James
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5051 (20100422) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature database 5051 (20100422) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
