| Re: i getting this warning [message #176023 is a reply to message #176021] |
Thu, 17 November 2011 13:39   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
Arno Welzel wrote:
> Denis McMahon, 2011-11-16 16:11:
>
>> On Wed, 16 Nov 2011 06:56:21 -0500, Jerry Stuckle wrote:
>>
>>> On 11/16/2011 6:17 AM, sri kanth wrote:
>>>> $qs=$_REQUEST['id'];
>>>> $data=mysql_query("select * from tbl_porduct where pid=$qs");
>>> Three things.
>> You missed "using unescaped user input in a query with no validation or
>> verification". I know it's only a select, but would you bet that he's
>> that sloppy with selects and yet rigorous with data changing statements?
>
> It does not matter what statement there *is*. Using data from outside in
> this way makes *everything* possible - this is the typical mistake which
> makes SQL injection possible!
>
>
> Example:
>
> Lets assume $qs is "1;drop tlb_product".
>
> $data = mysql_query("select * from tbl_product where pid=$qs");
>
> The statement will be expanded to:
>
> "select * from tbl_product where pid=1;drop tbl_product"
>
> The result will be, that the table tbl_product will be dropped, if the
> MySQL user has the right to drop tables.
>
which is why I always use sprintf("...id='%d'", $id)....
whatever ends up in 'id=' is always numeric and that's all it is.
and even if its a string. if you encapsulate it in quotes, then it cant
go outside the bounds of the query.
>
> So:
>
> 1) Do never trust data from outside
>
+1
> 2) Always check results and do never assume successful execution
>
>
Unless you don't mind it failing.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]