FUDforum: comp.lang.php » i getting this warning

Home » Imported messages » comp.lang.php » i getting this warning

Show: Today's Messages :: Polls :: Message Navigator

Re: i getting this warning [message #176021 is a reply to message #176019]

Thu, 17 November 2011 13:31

Arno Welzel
Messages: 317
Registered: October 2011

Karma:

Senior Member

Denis McMahon, 2011-11-16 16:11:

> On Wed, 16 Nov 2011 06:56:21 -0500, Jerry Stuckle wrote:
>
>> On 11/16/2011 6:17 AM, sri kanth wrote:
>
>>> $qs=$_REQUEST['id'];
>>> $data=mysql_query("select * from tbl_porduct where pid=$qs");
>
>> Three things.
>
> You missed "using unescaped user input in a query with no validation or
> verification". I know it's only a select, but would you bet that he's
> that sloppy with selects and yet rigorous with data changing statements?

It does not matter what statement there *is*. Using data from outside in
this way makes *everything* possible - this is the typical mistake which
makes SQL injection possible!

Example:

Lets assume $qs is "1;drop tlb_product".

$data = mysql_query("select * from tbl_product where pid=$qs");

The statement will be expanded to:

"select * from tbl_product where pid=1;drop tbl_product"

The result will be, that the table tbl_product will be dropped, if the
MySQL user has the right to drop tables.

So:

1) Do never trust data from outside

2) Always check results and do never assume successful execution

A better solution may be (requires at least PHP 5) - not tested (may
contain typos):

try
{
if(!isset($_REQUEST['id']))
throw new Exception('parameter id missing');

$qs = $_REQUEST['id'];

if(!is_numeric($qs))
throw new Exception('parameter id not numeric');

if(!mysql_connect('localhost', 'root', ''))
throw new Exception('can not connect to database');

if(!mysql_select_db('test'))
throw new Exception('can not connect to database');

$statement = sprintf("select * from tbl_product where pid=%d", $qs);

$data = mysql_query($statement);
if(!$data)
throw new Exception('no product found');

$rec = mysql_fetch_row($data);
if(!$rec)
throw new Exception('error fetching product record');

$pname=$rec[1];
$price=$rec[3];
$sid=session_id();

if(!mysql_query(
"insert into tbl_spro values('$sid','$pname','$price')")
throw new Exception('can not store values');
} catch (Exception $e) {
// Handle exception here, $e->getMessage() will
// return the messages provided above
}

--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de

Report message to a moderator

[Message index]

		i getting this warning By: sritullimilli on Wed, 16 November 2011 11:17
		Re: i getting this warning By: The Natural Philosoph on Wed, 16 November 2011 11:26
		Re: i getting this warning By: tony on Wed, 16 November 2011 11:37
		Re: i getting this warning By: Jerry Stuckle on Wed, 16 November 2011 11:56
		Re: i getting this warning By: Denis McMahon on Wed, 16 November 2011 15:11
		Re: i getting this warning By: Jerry Stuckle on Wed, 16 November 2011 15:41
		Re: i getting this warning By: Arno Welzel on Thu, 17 November 2011 13:31
		Re: i getting this warning By: Arno Welzel on Thu, 17 November 2011 13:34
		Re: i getting this warning By: Denis McMahon on Fri, 18 November 2011 08:02
		Re: i getting this warning By: The Natural Philosoph on Thu, 17 November 2011 13:39
		Re: i getting this warning By: Jerry Stuckle on Thu, 17 November 2011 14:01
		Re: i getting this warning By: Arno Welzel on Thu, 17 November 2011 14:15
		Re: i getting this warning By: Jerry Stuckle on Thu, 17 November 2011 14:44
		Re: i getting this warning By: Arno Welzel on Mon, 21 November 2011 13:59
		Re: i getting this warning By: Jerry Stuckle on Mon, 21 November 2011 14:12

Previous Topic:	Stats comp.lang.php (last 7 days)
Next Topic:	How to get client mac address in PHP ..?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Tue Nov 26 07:10:07 GMT 2024

Total time taken to generate the page: 0.06574 seconds