Modtoreador
Oh, and another thing: why on Earth are you using the root account to access the database?!
You know that whole privilege-seperation thing I was going on about? Well... using the root account for anything but manual administrative tasks is just about the worst security flaw you can possibly subject your poor database to.
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Regular Coders
its all Prototype right now
Modtoreador
Doesn't matter, there's no reason to be using the root account.
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Global Moderator
I'm also coding something that uses get (and post) data.
I have a submit form that will add info to a database.
There's something wrong with just letting people type something in the form, click submit then do that?
How about my dynamic page that uses get to get some html from a database? (index.php?page=5, where it would search the database for the row WHERE id=5, then get the html data from that row and display it)
Isn't this kinda the point of mysql? It's a security risk?
Modtoreador
It is, yes. This is what mysql_real_escape_string() is for.Isn't this kinda the point of mysql? It's a security risk?And what if someone used:How about my dynamic page that uses get to get some html from a database? (index.php?page=5, where it would search the database for the row WHERE id=5, then get the html data from that row and display it)If the query string looked like this:Code:index.php?page=1;DROP%20DATABASE%20yourdbthen after it had been parsed, it would look like this:Code:$sql = "SELECT * FROM table WHERE id=$id;";... and your script would faithfully execute it. If you used mysql_real_escape_string, it would escape the semicolon with a backslash, rendering it harmless and simply returning no results.Code:$sql = "SELECT * FROM table WHERE id=1;DROP DATABASE yourdb;";
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Global Moderator
mysql_real_escape_string is just something you do to an ordinary string?
doesn't have to be part of the query or anything, right?
I mean... I can do it before connecting to or doing anything with the database, yes?
//adding now.
Elite Coders
Your point is valid, of course, but the answer to that question should be: not a lot.Originally Posted by Twey
CGI programs (and the like) should consider semicolons (;to be equivalent to ampersands (&) for the purpose of separating query string name/value pairs, so the value of $_GET['page'] will equal '1' in PHP.
Replace ';' with '%3B' and now you're in trouble.
True, though that's overkill in this case. As the value of 'page' should only be a number, this can be validated. Non-numeric strings, such as an attempted injection attack, can be rejected. No need for escaping.If you used mysql_real_escape_string, it would escape the semicolon with a backslash, rendering it harmless and simply returning no results.
Yes. After creating a connection (the function uses the connection to determine character encoding), you'd call the function with data you intend to add to the SQL query, and append or insert the return value.
No, it mustn't.doesn't have to be part of the query or anything, right?
No, you must connect first.I can do it before connecting to or doing anything with the database, yes?
Mike
Global Moderator
Thanks.
Yeah, I figured out where to put it by playing with it.
Easy, and effective...
It's setup now.
by the way, while I used a number my example, the page is actually like "index.php?page=name"... a string. So... yeah, it is important to validate, I guess
Modtoreador
Well, technically the connection-handler argument is optional, so you can just call it on the string to encode it using the default system character encoding. However, it's not a good idea, since this would reduce portability and could cause problems if MySQL's character encoding was different to that of the system.
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Elite Coders
The argument can be omitted from the call, but a connection isn't optional. From the manual page:
link_identifierThis applies to many of the MySQL functions.
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If by chance no connection is found or established, an E_WARNING level warning is generated.
Mike
Posting Permissions
Reply With Quote
Bookmarks