| Re: fetch items from a row [message #182456 is a reply to message #182450] |
Mon, 05 August 2013 02:09   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 8/4/2013 5:27 PM, The Natural Philosopher wrote:
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id =
> '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
>
Which gives incorrect results if the value isn't an integer. It is much
better to validate the data and, if it is incorrect (i.e. in this case,
not an integer), provide an error message instead of incorrect results.
But then only a programmer would know that.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]