[snip]
Lets say you have a statement like:
$query = "SELECT * FROM mytable WHERE firstname=$firstname";
And if $firstname is set to:
"xyz"; DELETE FROM mytable
Then this is executed as: SELECT* FROM mytable WHERE firstname="xyz";DELETE
FROM mytable
This can wipe out your table...a bad thing..
Or,
You can use this:
http://www.php.net/manual/en/function.is-numeric.php
- E
"John W. Holmes" <[EMAIL PROTECTED]> wrote:
> > > Then make sure $id is a number. You can use is_int, or (int), or
> > whatever.
> >
> > It appears that any numeric values passed via the URL (..?param=10001)
> ar
> > Bottom line is that you want to use addslashes() or
magic_quotes_gpc()
> > on any variable you're going to insert into a query string. If
you're
> > inserting a variable that should be a number, make sure it is one.
>
> If I have magic quotes turned on, do I still need to worry about using
> a
John W. Holmes wrote:
>
> Bottom line is that you want to use addslashes() or magic_quotes_gpc()
> on any variable you're going to insert into a query string. If you're
> inserting a variable that should be a number, make sure it is one.
If I have magic quotes turned on, do I still need to worry
> > Then make sure $id is a number. You can use is_int, or (int), or
> whatever.
>
> It appears that any numeric values passed via the URL (..?param=10001)
are
> automatically treated as strings. If I pass ?param=1001 to the
following
> script...
So turn it into an integer.
$param = (int)$_POST[
John W. Holmes wrote:
> Then make sure $id is a number. You can use is_int, or (int), or whatever.
It appears that any numeric values passed via the URL (..?param=10001) are
automatically treated as strings. If I pass ?param=1001 to the following
script...
$type = '';
if (is_string($para
> I'm confused about when I should escape single or double quotes.
Should
> all
> quotes be stored as \" or \' in a database as well?
Escape both, just use addslashes. The key here is that if you are
inserting a variable into a string (which is all a query is), then you
want to make sure that the
John W. Holmes wrote:
> Then make sure $name has all single quotes escaped within it. If all of
> them are escaped, then it's just a string and can't do any harm. If they
> aren't escaped, then the user can break out of your own SQL and put
> their own.
I'm confused about when I should escape si
> > You can still use extract($_POST).
> > It is as safe/vulernable as $_POST['isAdmin'].
> >
> > In either case, use only variables that you know are yours and be
> certain
> > these contain values which you believe to be safe. For instance, if
you
> expect
> > a variable called $firstname to cont
Rick Emery wrote:
> You can still use extract($_POST).
> It is as safe/vulernable as $_POST['isAdmin'].
>
> In either case, use only variables that you know are yours and be certain
> these contain values which you believe to be safe. For instance, if you expect
> a variable called $firstname to
> Well, one way you can avoid similar things to happen is, you can do
> something like, say, create a user that can only SELECT. If the user can
> only SELECT then it cannot DELETE.
This is a great suggestion from Rick. I already use this method. I have
several MySQL users set up for various funct
IL PROTECTED]
> Subject: Re: [PHP] extract($_POST)
>
>
> You assume mysql.
> Other SQL databases allow multiple statements.
>
> > -Original Message-
> > From: Rick Emery [mailto:remery@;emeryloftus.com]
> > Sent: Friday, October 25, 2002 4:59 PM
> > To:
True. That's why I said:
> > then you can check whether the value
> > is_numeric() or something.
I think this narrows down what you're checking. So, if you send me "any
value" my script would just reject it. Besides, this is just a hint--there
are many ways to validate. Of course, you know that..
You assume mysql.
Other SQL databases allow multiple statements.
> -Original Message-
> From: Rick Emery [mailto:remery@;emeryloftus.com]
> Sent: Friday, October 25, 2002 4:59 PM
> To: Chris Boget; [EMAIL PROTECTED]; Monty
> Subject: Re: [PHP] extract($_POST)
>
>
You can still create a sub-query to do the damage.
Jason
-Original Message-
From: John W. Holmes [mailto:holmes072000@;charter.net]
Sent: Friday, October 25, 2002 4:01 PM
To: 'Rick Emery'; 'Chris Boget'; [EMAIL PROTECTED]; 'Monty'
Subject: RE: [PHP] e
r in the page.
---John Holmes...
> -Original Message-
> From: Rick Emery [mailto:remery@;emeryloftus.com]
> Sent: Friday, October 25, 2002 4:27 PM
> To: [EMAIL PROTECTED]; Monty
> Subject: Re: [PHP] extract($_POST)
>
> You can still use extract($_POST).
> It is as safe/vulernab
[snip]
> There are many places (websites) wherein you can choose the country
from a
> pulldown menu. This prevents somebody (somehow) from posting something
> illegal. Besides, if the values assigned are numbers (e.g. value="100">My Country) then you can check whether the value
> is_numeric() or s
> This thread has been great! I've learned so much useful stuff.
>
> > For instance, if you expect a variable called $firstname to contain
> > a name to be stored in a SQL database, be certain it does not
contain
> > SQL commands which can damage your database.
>
> This is another thing I'd be i
er 25, 2002 4:59 PM
> To: Chris Boget; [EMAIL PROTECTED]; Monty
> Subject: Re: [PHP] extract($_POST)
>
> Lets say you have a statement like:
> $query = "SELECT * FROM mytable WHERE firstname=$firstname";
>
> And if $firstname is set to:
> "xyz"; DELETE FRO
Hello,
"Rick Emery" <[EMAIL PROTECTED]> wrote:
> Lets say you have a statement like:
> $query = "SELECT * FROM mytable WHERE firstname=$firstname";
>
> And if $firstname is set to:
> "xyz"; DELETE FROM mytable
>
> Then this is executed as: SELECT* FROM mytable WHERE
firstname="xyz";DELETE FROM
e out your table...a bad thing...
- Original Message -
From: "Chris Boget" <[EMAIL PROTECTED]>
To: "Rick Emery" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Monty"
<[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 3:41 PM
Subject: Re: [PHP] extr
This thread has been great! I've learned so much useful stuff.
> For instance, if you expect a variable called $firstname to contain
> a name to be stored in a SQL database, be certain it does not contain
> SQL commands which can damage your database.
This is another thing I'd be interested in
Hello,
"Monty" <[EMAIL PROTECTED]> wrote:
> Okay, I really want to understand how to make $_GET and $_POST more secure
> because it means changing a fundamental way my scripts are now working.
>
> So, it sounds like what I need to do in order to make form data more
secure
> is something like this
#x27;] will NOT protect
you.
Bottom line: you can be cracked. There are no certain protections.
- Original Message -
From: "Monty" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 3:13 PM
Subject: Re: [PHP] extract($_POST)
Okay, I real
rganization: WebPower Design
> Newsgroups: php.general
> Date: Fri, 25 Oct 2002 13:06:10 -0400
> To: "Johnson, Kirk" <[EMAIL PROTECTED]>, PHP General
> <[EMAIL PROTECTED]>
> Subject: Re: [PHP] extract($_POST)
>
> -BEGIN PGP SIGNED MESSAGE-
> H
ECTED]>; "PHP General"
<[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 2:07 PM
Subject: Re: [PHP] extract($_POST)
And if you want to take it a step further, to ensure that the values are
submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
it'
I thought of this was well and into the PHP documentation about this
option. Here's a side note that the documentation includes:
Not all user agents will set this, and some provide the ability to modify
HTTP_REFERER as a feature. In short, it cannot really be trusted.
Even thought it's not a s
eral"
<[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 2:07 PM
Subject: Re: [PHP] extract($_POST)
> And if you want to take it a step further, to ensure that the values are
> submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
> it'
And if you want to take it a step further, to ensure that the values are
submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if
it's coming from your domain | page.
Paul Nicholson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 25 October 2002 11:23 am, Johnson, K
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:
> > And what should these precautions be? If a malicious user can submit
> > his own form and you are looking for a POST variable, how can you
> > ensure that $admin came from your form and not
> And what should these precautions be? If a malicious user can submit
> his own form and you are looking for a POST variable, how can you
> ensure that $admin came from your form and not that user's?
The problem is when a cracker uses form variables in an attempt to set the
values of "flag" v
From: "Chris Boget" <[EMAIL PROTECTED]>
To: "Rick Emery" <[EMAIL PROTECTED]>
Cc: "PHP General" <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 8:53 AM
Subject: Re: [PHP] extract($_POST)
> The more secure method ensures it MUST come from a
> The more secure method ensures it MUST come from a form. Be
> advised: the user can create his own form with $admin as a variable
> and submit it to your PHP script. Therefore, additional precautions
> and authentication are warranted.
And what should these precautions be? If a malicious u
rm. Be advised: the user can
create his own form with $admin as a variable and submit it to your PHP script.
Therefore, additional precautions and authentication are warranted.
- Original Message -
From: "Monty" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: F
CTED] (Mike Ford)
> Newsgroups: php.general
> Date: Thu, 24 Oct 2002 18:41:04 +0100
> To: "'1LT John W. Holmes'" <[EMAIL PROTECTED]>, Rick Emery
> <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: [PHP] extract($_POST)
>
>> -Original Me
35 matches
Mail list logo