[thelist] Rusty PHP questions...
Matt Slocum
matt.slocum at gmail.com
Mon Oct 15 10:43:20 CDT 2007
Tip: On something I know is supposed to be a numeric value I use:
$id = $_REQUEST['id'];
if (!is_numeric($id))
error("bad ID");
This prevents worthless queries and it allows you to give smarter error
messages. (Not that you want to give a nice error message to someone that is
trying to do a sql injection).
Also, $_REQUEST will retrieve get POST or GET submissions. This can be good
or bad. Good: It allows you to get either and be lazy. Bad: it makes it
easier for someone to try things using a URL even if you are using POST.
Matt
On 10/15/07, Ken Robinson <kenrbnsn at rbnsn.com> wrote:
>
> Quoting Tom Dell'Aringa <pixelmech at gmail.com>:
>
> > On 10/15/07, John Handelaar <john at userfrenzy.com> wrote:
> >>
> >> > 3. Lastly, just checking that I am setting my variable correctly.
> They
> >> are
> >> > appending an id onto the get string for each link, so I set it at the
> >> top of
> >> > the page like so, so I can test for it at the section when I need it:
> >> >
> >> > $raceId = $_GET['id'];
> >>
> >> One tip:
> >>
> >> a) Take a backup (seriously, *TAKE A BACKUP* before moving to b)
> >> b) Try appending this to the page URI:
> >>
> >> ?id=0;DELETE FROM event_list;
> >>
> >> c) Plug the huge hole you just described.
> >
> >
> > Holy carp! Ok, HOW do I plug that huge hole, I have no idea. Man do I
> stink
> > at php these days.
>
> Use the function mysql_real_escape_string(). This function will help
> prevent SQL injections from working:
>
> $raceID = mysql_real_escape_string($_GET['id']);
>
> Ken
>
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>
More information about the thelist
mailing list