2007. 04. 11, szerda keltezéssel 17.36-kor Marcelo Wolfgang ezt írta: > > and what if $_GET['id'] is something like > > "1; DROP TABLE tb_emails;" > > ?? > > > > SQL injection just waits to happen > > I think tha tit will be too much of a hacker effort just to kill a table > of contact emails, and also he will have to guess ( is there other way > ? ) the table name, but just to be on a safer side: > > - Is there a way to say that id can only be a number ? > > something like $id:Number = $_GET['id']?
that was just an example, any kind of hacker SQL code can be put there... if $id should be a number typecast it to int like this: $id = (int) $_GET['id']; greets Zoltán Németh > > TIA > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
