Re: [PHP] Protecting Queries

2002-11-17 Thread Alnisa Allgood 
At 3:31 PM -0500 11/17/02, Stephen wrote:

Since day one of me doing MySQL stuff in PHP, I've always set up my 
query as a variable then put it into the query function such as this:

$query = "SELECT * FROM bobstuff WHERE id='1'";
$result = mysql_query($query, $connection);

I've just come aware of the security risks of this. How could I make 
it so the $query variable isn't editable from the URL? Should I turn 
register_globals off?



Typically speaking you should always use the PHP 
mysql_escape_string() function, when accepting data from users. 
While, I'm not certain its relevant in your situation, since your 
variable is predefined. But this would be of importance for any forms 
you would have. To use you just add some code such as:

	$usrName=mysql_escape_string($usrName);

one for each field on a form, than you can do

	$result=mysql_result("SELECT * FROM abc WHERE 
usrName='$usrName', $gDB);

This will protect you from users who enter Select, DROP, and other 
statements in your data field.

ALnisa
--
  .
   Alnisa  Allgood
   Executive Director
   Nonprofit Tech
   (ph) 415.337.7412  (fx) 415.337.7927
   (url)  http://www.nonprofit-techworld.org
   (url)  http://www.nonprofit-tech.org
   (url)  http://www.tech-library.org
  .
   Nonprofit Tech E-Update
   mailto:[EMAIL PROTECTED]
  .
   transforming nonprofits through technology
  .


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Stephen 
Oh, right, thanks!


- Original Message -
From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
To: "Stephen" <[EMAIL PROTECTED]>
Sent: Sunday, November 17, 2002 4:05 PM
Subject: Re: [PHP] Protecting Queries


> No, like I said, since you set $query in your script, whatever the user
> passes in is overwritten.
>
> On Sun, 17 Nov 2002, Stephen wrote:
>
> > What I meant was something like this:
> >
> >   The user types in the URL http://myplace/script.php?query=DELTE * FROM
> > table WHERE id=1.
> >   The query is overwritten and the section is deleted...
> >
> > Is that possible?
> >
> >
> > - Original Message -
> > From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
> > To: "Stephen" <[EMAIL PROTECTED]>
> > Cc: "PHP List" <[EMAIL PROTECTED]>
> > Sent: Sunday, November 17, 2002 3:46 PM
> > Subject: Re: [PHP] Protecting Queries
> >
> >
> > > No, that it fine.  User-supplied data can not override a variable
defined
> > > directly in your script like that regardless of the register_globals
> > > setting.
> > >
> > > -Rasmus
> > >
> > > On Sun, 17 Nov 2002, Stephen wrote:
> > >
> > > > Since day one of me doing MySQL stuff in PHP, I've always set up my
> > query as a variable then put it into the query function such as this:
> > > >
> > > > $query = "SELECT * FROM bobstuff WHERE id='1'";
> > > > $result = mysql_query($query, $connection);
> > > >
> > > > I've just come aware of the security risks of this. How could I make
it
> > so the $query variable isn't editable from the URL? Should I turn
> > register_globals off?
> > > >
> > > > Thanks,
> > > > Stephen Craton
> > > > http://www.melchior.us
> > > >
> > > > "Life is a gift from God. Wasting it is like destroying a gift you
got
> > from the person you love most." -- http://www.melchior.us
> > >
> > >
> >
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Stephen 
What I meant was something like this:

  The user types in the URL http://myplace/script.php?query=DELTE * FROM
table WHERE id=1.
  The query is overwritten and the section is deleted...

Is that possible?


> - Original Message -
> From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
> To: "Stephen" <[EMAIL PROTECTED]>
> Cc: "PHP List" <[EMAIL PROTECTED]>
> Sent: Sunday, November 17, 2002 3:46 PM
> Subject: Re: [PHP] Protecting Queries
>
>
> > No, that it fine.  User-supplied data can not override a variable
defined
> > directly in your script like that regardless of the register_globals
> > setting.
> >
> > -Rasmus
> >
> > On Sun, 17 Nov 2002, Stephen wrote:
> >
> > > Since day one of me doing MySQL stuff in PHP, I've always set up my
> query as a variable then put it into the query function such as this:
> > >
> > > $query = "SELECT * FROM bobstuff WHERE id='1'";
> > > $result = mysql_query($query, $connection);
> > >
> > > I've just come aware of the security risks of this. How could I make
it
> so the $query variable isn't editable from the URL? Should I turn
> register_globals off?
> > >
> > > Thanks,
> > > Stephen Craton
> > > http://www.melchior.us
> > >
> > > "Life is a gift from God. Wasting it is like destroying a gift you got
> from the person you love most." -- http://www.melchior.us
> >
> >
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Rasmus Lerdorf 
No, that it fine.  User-supplied data can not override a variable defined
directly in your script like that regardless of the register_globals
setting.

-Rasmus

On Sun, 17 Nov 2002, Stephen wrote:

> Since day one of me doing MySQL stuff in PHP, I've always set up my query as a 
>variable then put it into the query function such as this:
>
> $query = "SELECT * FROM bobstuff WHERE id='1'";
> $result = mysql_query($query, $connection);
>
> I've just come aware of the security risks of this. How could I make it so the 
>$query variable isn't editable from the URL? Should I turn register_globals off?
>
> Thanks,
> Stephen Craton
> http://www.melchior.us
>
> "Life is a gift from God. Wasting it is like destroying a gift you got from the 
>person you love most." -- http://www.melchior.us


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Jonathan Sharp 
the issue isn't with query, it's with variables used within queries...

example:
$id = $_GET['id'];
$query = "SELECT * FROM mytable WHERE id=$id";

and if you call this page as (or something like this):
?id='' OR 1=1

You can alter the query

-js


Stephen wrote:
> Since day one of me doing MySQL stuff in PHP, I've always set up my
> query as a variable then put it into the query function such as this:
>  
> $query = "SELECT * FROM bobstuff WHERE id='1'";
> $result = mysql_query($query, $connection);
>  
> I've just come aware of the security risks of this. How could I make it
> so the $query variable isn't editable from the URL? Should I turn
> register_globals off?
> 
> Thanks,
> Stephen Craton
> http://www.melchior.us
>  
> "Life is a gift from God. Wasting it is like destroying a gift you got
> from the person you love most." -- http://www.melchior.us
> 




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Protecting Queries

2002-11-17 Thread Stephen 



Since day one of me doing MySQL stuff in PHP, I've always set 
up my query as a variable then put it into the query function such as 
this:
 
    $query = "SELECT * FROM bobstuff WHERE 
id='1'";
    $result = mysql_query($query, 
$connection);
 
I've just come aware of the security risks of this. How could 
I make it so the $query variable isn't editable from the URL? Should I turn 
register_globals off?
Thanks,Stephen Cratonhttp://www.melchior.us
 
"Life is a gift from God. Wasting it is like destroying a gift you got from 
the person you love most." -- http://www.melchior.us
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php