Since day one of me doing MySQL stuff in PHP, I've always set
up my query as a variable then put it into the query function such as
this:
$query = "SELECT * FROM bobstuff WHERE
id='1'";
$result = mysql_query($query,
$connection);
I've just come aware of the security risks of this. How
the issue isn't with query, it's with variables used within queries...
example:
$id = $_GET['id'];
$query = SELECT * FROM mytable WHERE id=$id;
and if you call this page as (or something like this):
?id='' OR 1=1
You can alter the query
-js
Stephen wrote:
Since day one of me doing MySQL
No, that it fine. User-supplied data can not override a variable defined
directly in your script like that regardless of the register_globals
setting.
-Rasmus
On Sun, 17 Nov 2002, Stephen wrote:
Since day one of me doing MySQL stuff in PHP, I've always set up my query as a
variable then put
PROTECTED]
Cc: PHP List [EMAIL PROTECTED]
Sent: Sunday, November 17, 2002 3:46 PM
Subject: Re: [PHP] Protecting Queries
No, that it fine. User-supplied data can not override a variable
defined
directly in your script like that regardless of the register_globals
setting.
-Rasmus
Oh, right, thanks!
- Original Message -
From: Rasmus Lerdorf [EMAIL PROTECTED]
To: Stephen [EMAIL PROTECTED]
Sent: Sunday, November 17, 2002 4:05 PM
Subject: Re: [PHP] Protecting Queries
No, like I said, since you set $query in your script, whatever the user
passes in is overwritten
At 3:31 PM -0500 11/17/02, Stephen wrote:
Since day one of me doing MySQL stuff in PHP, I've always set up my
query as a variable then put it into the query function such as this:
$query = SELECT * FROM bobstuff WHERE id='1';
$result = mysql_query($query, $connection);
I've just come
6 matches
Mail list logo
