> This thread has been great! I've learned so much useful stuff.
>
> > For instance, if you expect a variable called $firstname to contain
> > a name to be stored in a SQL database, be certain it does not
contain
> > SQL commands which can damage your database.
>
> This is another thing I'd be interested in hearing more about. If all
you
> are doing is storing and retrieving data, what commands could possibly
> be defined that could damage your database?
>
> $firstName = "Chris";
> mysql_query( "INSERT INTO names ( first_name ) VALUES ( \"$firstName\"
)"
> );
> $result = mysql_query( "SELECT first_name FROM names" );
> while( $dataArray = mysql_fetch_assoc( $result )) {
> echo $dataArray["first_name"]
>
> }
>
> If $firstName was set by a form submission, what malicious SQL code
could
> damage your database? All you are doing is storing, retreiving and
> displaying
> data...
If you are using addslashes() or magic_quotes_gpc on $firstName, then
you're safe from any SQL attack. Also, you are safer because you are
first naming the column your updating, then providing the value. If
there is any injection to affect another column, it'll cause an error.
Say you are doing this to insert a general user who is not an admin
(admin=0)
INSERT INTO table (name,admin) values ('$name',0)
If you are not checking name, and escaping single quotes, a malicious
user could submit this value:
John',1)#
Which will make a name of john, set admin to one, and make the remainder
of the SQL a comment.
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
