Re: [PHP] Protecting Queries
At 3:31 PM -0500 11/17/02, Stephen wrote: Since day one of me doing MySQL stuff in PHP, I've always set up my query as a variable then put it into the query function such as this: $query = "SELECT * FROM bobstuff WHERE id='1'"; $result = mysql_query($query, $connection); I've just come aware of the security risks of this. How could I make it so the $query variable isn't editable from the URL? Should I turn register_globals off? Typically speaking you should always use the PHP mysql_escape_string() function, when accepting data from users. While, I'm not certain its relevant in your situation, since your variable is predefined. But this would be of importance for any forms you would have. To use you just add some code such as: $usrName=mysql_escape_string($usrName); one for each field on a form, than you can do $result=mysql_result("SELECT * FROM abc WHERE usrName='$usrName', $gDB); This will protect you from users who enter Select, DROP, and other statements in your data field. ALnisa -- . Alnisa Allgood Executive Director Nonprofit Tech (ph) 415.337.7412 (fx) 415.337.7927 (url) http://www.nonprofit-techworld.org (url) http://www.nonprofit-tech.org (url) http://www.tech-library.org . Nonprofit Tech E-Update mailto:[EMAIL PROTECTED] . transforming nonprofits through technology . -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting Queries
Oh, right, thanks! - Original Message - From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> To: "Stephen" <[EMAIL PROTECTED]> Sent: Sunday, November 17, 2002 4:05 PM Subject: Re: [PHP] Protecting Queries > No, like I said, since you set $query in your script, whatever the user > passes in is overwritten. > > On Sun, 17 Nov 2002, Stephen wrote: > > > What I meant was something like this: > > > > The user types in the URL http://myplace/script.php?query=DELTE * FROM > > table WHERE id=1. > > The query is overwritten and the section is deleted... > > > > Is that possible? > > > > > > - Original Message - > > From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> > > To: "Stephen" <[EMAIL PROTECTED]> > > Cc: "PHP List" <[EMAIL PROTECTED]> > > Sent: Sunday, November 17, 2002 3:46 PM > > Subject: Re: [PHP] Protecting Queries > > > > > > > No, that it fine. User-supplied data can not override a variable defined > > > directly in your script like that regardless of the register_globals > > > setting. > > > > > > -Rasmus > > > > > > On Sun, 17 Nov 2002, Stephen wrote: > > > > > > > Since day one of me doing MySQL stuff in PHP, I've always set up my > > query as a variable then put it into the query function such as this: > > > > > > > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > > > > $result = mysql_query($query, $connection); > > > > > > > > I've just come aware of the security risks of this. How could I make it > > so the $query variable isn't editable from the URL? Should I turn > > register_globals off? > > > > > > > > Thanks, > > > > Stephen Craton > > > > http://www.melchior.us > > > > > > > > "Life is a gift from God. Wasting it is like destroying a gift you got > > from the person you love most." -- http://www.melchior.us > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting Queries
What I meant was something like this: The user types in the URL http://myplace/script.php?query=DELTE * FROM table WHERE id=1. The query is overwritten and the section is deleted... Is that possible? > - Original Message - > From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> > To: "Stephen" <[EMAIL PROTECTED]> > Cc: "PHP List" <[EMAIL PROTECTED]> > Sent: Sunday, November 17, 2002 3:46 PM > Subject: Re: [PHP] Protecting Queries > > > > No, that it fine. User-supplied data can not override a variable defined > > directly in your script like that regardless of the register_globals > > setting. > > > > -Rasmus > > > > On Sun, 17 Nov 2002, Stephen wrote: > > > > > Since day one of me doing MySQL stuff in PHP, I've always set up my > query as a variable then put it into the query function such as this: > > > > > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > > > $result = mysql_query($query, $connection); > > > > > > I've just come aware of the security risks of this. How could I make it > so the $query variable isn't editable from the URL? Should I turn > register_globals off? > > > > > > Thanks, > > > Stephen Craton > > > http://www.melchior.us > > > > > > "Life is a gift from God. Wasting it is like destroying a gift you got > from the person you love most." -- http://www.melchior.us > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting Queries
No, that it fine. User-supplied data can not override a variable defined directly in your script like that regardless of the register_globals setting. -Rasmus On Sun, 17 Nov 2002, Stephen wrote: > Since day one of me doing MySQL stuff in PHP, I've always set up my query as a >variable then put it into the query function such as this: > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > $result = mysql_query($query, $connection); > > I've just come aware of the security risks of this. How could I make it so the >$query variable isn't editable from the URL? Should I turn register_globals off? > > Thanks, > Stephen Craton > http://www.melchior.us > > "Life is a gift from God. Wasting it is like destroying a gift you got from the >person you love most." -- http://www.melchior.us -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting Queries
the issue isn't with query, it's with variables used within queries... example: $id = $_GET['id']; $query = "SELECT * FROM mytable WHERE id=$id"; and if you call this page as (or something like this): ?id='' OR 1=1 You can alter the query -js Stephen wrote: > Since day one of me doing MySQL stuff in PHP, I've always set up my > query as a variable then put it into the query function such as this: > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > $result = mysql_query($query, $connection); > > I've just come aware of the security risks of this. How could I make it > so the $query variable isn't editable from the URL? Should I turn > register_globals off? > > Thanks, > Stephen Craton > http://www.melchior.us > > "Life is a gift from God. Wasting it is like destroying a gift you got > from the person you love most." -- http://www.melchior.us > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Protecting Queries
Since day one of me doing MySQL stuff in PHP, I've always set up my query as a variable then put it into the query function such as this: $query = "SELECT * FROM bobstuff WHERE id='1'"; $result = mysql_query($query, $connection); I've just come aware of the security risks of this. How could I make it so the $query variable isn't editable from the URL? Should I turn register_globals off? Thanks,Stephen Cratonhttp://www.melchior.us "Life is a gift from God. Wasting it is like destroying a gift you got from the person you love most." -- http://www.melchior.us -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php