Prev: Send Mail from PHP Using SMTP Authentication
Next: Using PHP to launch more PHP scripts and use WinCache.
From: "Jacob Kruger" on 22 Apr 2010 16:36
I know - used to deal with/handle SQL injection prevention quite a bit in
old days - and think have already got one or two code samples for
counteracting it in PHP/MySQL, and they would generally be kept in functions
in a general include file, to be included in all database accessing pages,
and I would also generally not make too much use of querystring/get data
passing in that sense either, but anyway...

One of the workarounds looked into in the past was where it would also just
look like a standard <a /> link on a page, but where it would actually do a
form of hidden form submission where hidden fields would be set with certain
values, either dynamically hard coded, or set using javascript etc., which
could also be worked around by submitting a form from another source, but it
really also depended on the target production environment since while I know
there are automated robotic SQLInjection implementations out there, they
would still also be more likely to target websites that generate more
traffic as such, etc. etc.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message -----
From: "James Crow" <james(a)ultratans.com>
To: <php-windows(a)lists.php.net>
Sent: Thursday, April 22, 2010 5:27 PM
Subject: Re: [PHP-WIN] Trouble running a select query against a database,
when I know the connection is working, and the data is there


> On 04/14/2010 08:48 PM, Jacob Kruger wrote:
>> Thanks.
>>
>> Will be honest, and while have played around with PHP etc., have never
>> really done much with it in terms of going into production as such
>> anyway, so, yes, will need to learn/figure out how to do things the best
>> way, etc.
>>
>> Stay well
>>
>> Jacob Kruger
>> Blind Biker
>> Skype: BlindZA
>> '...fate had broken his body, but not his spirit...'
> And while you are trying to learn good habits look at SQL Injection
> attacks. Using something like $_REQUEST['id'] in a query is just asking
> for it. Many of the PHP and MySQL tutorials I have seen barely mention
> this problem, if at all.
>
> Consider if someone had sent your script a URL like this:
> scipt.php?id='';DELETE FROM table tblLinks;
> If the user running the mysql_query() function had the rights to delete
> rows on the tblLinks table, the tblLinks table would be empty.
>
> Cheers,
> James
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 5051 (20100422) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>


__________ Information from ESET NOD32 Antivirus, version of virus signature database 5051 (20100422) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



First  |  Prev  | 
Pages: 1 2
Prev: Send Mail from PHP Using SMTP Authentication
Next: Using PHP to launch more PHP scripts and use WinCache.