|
|
| Re: fetch items from a row [message #181288 is a reply to message #181287] |
Fri, 03 May 2013 20:18   |
Salvatore
Messages: 38
Registered: September 2012
Karma: 0
|
Member |
|
|
On 2013-05-03, richard <noreply(at)example(dot)com> wrote:
>
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
> [snip]
What do you mean by this? Do you want the value "42" cast as a string?
--
Blah blah bleh...
GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
|
|
|
|
| Re: fetch items from a row [message #181289 is a reply to message #181288] |
Fri, 03 May 2013 20:49 |
Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In article <km162d$j1l$1(at)yojimbo(dot)hack>,
Salvatore <sal(at)yojimbo(dot)hack(dot)invalid> wrote:
> On 2013-05-03, richard <noreply(at)example(dot)com> wrote:
>>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>> [snip]
>
> What do you mean by this? Do you want the value "42" cast as a string?
More likely:
$result = mysql_query("SELECT id,email FROM people WHERE id = '" .
$_GET['number'] . "'");
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
|
| Re: fetch items from a row [message #181290 is a reply to message #181287] |
Fri, 03 May 2013 20:47 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Fri, 03 May 2013 15:55:58 -0400, richard wrote:
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
>
> <?php $result = mysql_query("SELECT id,email FROM people WHERE id =
> '42'"); if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42 echo $row[1]; // the email value ?>
Rephrase the question so it makes some sort of sense.
$_GET is not a function, $_GET('number') is invalid syntax.
$_GET['number'] will return the string from the get request that was
prefixed with "(?|&)number= up to but not including the end of the
request or the next "&" whichever comes first.
If you're trying to use the string value as a numeric value in a query,
then you may not want to put quotes round it in the query string:
select * from table where column = '42'; // looks for a string
select * from table where column = 42; // looks for a number
As the value you get from the request is a string, and the sql command is
a string, you could just copy the string value across, or you could force
it to a number and back in the process, which might be slightly slower,
but would be a lot safer:
num = -1;
if (isset($_GET['number'])) num = intval($_GET['number'])
if ( num > 0 ) {
sql = "select * from table where column = {$num}";
}
else {
// handle invalid number here
}
But all of this presumes that your issue is that you are comparing a
string value with an integer field, and that's why you're not getting the
result you expect - however you really haven't presented enough
information about the problem - and if your issue is a mysql one, perhaps
you need to ask in a mysql group.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: fetch items from a row [message #181291 is a reply to message #181287] |
Fri, 03 May 2013 21:00 |
Richard Yates
Messages: 86
Registered: September 2013
Karma: 0
|
Member |
|
|
On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
wrote:
>
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
>
>
> <?php
> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
> if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42
> echo $row[1]; // the email value
> ?>
Your question is a little confusing. It sounds like you are GETting an
integer and want to use it in the mysql query there the id is stored
as a string in the database.
$number = $_GET['number'];
$result = mysql_query("select id, email from people where id='$number'
";
But I also wonder why your id numbers in the database are stored as
strings and not as integer primary keys (which they seem to be).
|
|
|
|
| Re: fetch items from a row [message #181292 is a reply to message #181291] |
Fri, 03 May 2013 21:21 |
Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 5/3/2013 2:00 PM, Richard Yates wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
> wrote:
>
>>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>>
>>
>> <?php
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>> if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>> }
>> $row = mysql_fetch_row($result);
>>
>> echo $row[0]; // 42
>> echo $row[1]; // the email value
>> ?>
>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
>
> But I also wonder why your id numbers in the database are stored as
> strings and not as integer primary keys (which they seem to be).
>
>
I am no expert here but in my experience $_GET holds a string from the
URI query no matter the value.
And the MySQL results will return a string as well whether it is as an
integer or string.
I would double check that in the mysql ng.
|
|
|
|
| Re: fetch items from a row [message #181293 is a reply to message #181291] |
Fri, 03 May 2013 21:38 |
Lew Pitcher
Messages: 60
Registered: April 2013
Karma: 0
|
Member |
|
|
On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
> wrote:
>
>>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>>
>>
>> <?php
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>> if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>> }
>> $row = mysql_fetch_row($result);
>>
>> echo $row[0]; // 42
>> echo $row[1]; // the email value
>> ?>
>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
Have you met little Bobby Tables (http://xkcd.com/327/) ?
The PHP documentation webpages have a slightly better suggestion for this
sort of query...
From http://www.php.net/manual/en/function.mysql-query.php
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
--
Lew Pitcher
"In Skills, We Trust"
|
|
|
|
| Re: fetch items from a row [message #181294 is a reply to message #181293] |
Fri, 03 May 2013 22:15 |
Richard Yates
Messages: 86
Registered: September 2013
Karma: 0
|
Member |
|
|
On Fri, 03 May 2013 17:38:08 -0400, Lew Pitcher
<lpitcher(at)teksavvy(dot)com> wrote:
> On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
> wrote:
>
>> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
>> wrote:
>>
>>>
>>> How would I change the '42' value to a string value based upon the value
>>> retrieved from using $_GET('number')?
>>>
>>>
>>> <?php
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>> if (!$result) {
>>> echo 'Could not run query: ' . mysql_error();
>>> exit;
>>> }
>>> $row = mysql_fetch_row($result);
>>>
>>> echo $row[0]; // 42
>>> echo $row[1]; // the email value
>>> ?>
>>
>> Your question is a little confusing. It sounds like you are GETting an
>> integer and want to use it in the mysql query there the id is stored
>> as a string in the database.
>>
>> $number = $_GET['number'];
>> $result = mysql_query("select id, email from people where id='$number'
>> ";
>
> Have you met little Bobby Tables (http://xkcd.com/327/) ?
>
> The PHP documentation webpages have a slightly better suggestion for this
> sort of query...
>
> From http://www.php.net/manual/en/function.mysql-query.php
> // Formulate Query
> // This is the best way to perform an SQL query
> // For more examples, see mysql_real_escape_string()
> $query = sprintf("SELECT firstname, lastname, address, age FROM friends
> WHERE firstname='%s' AND lastname='%s'",
> mysql_real_escape_string($firstname),
> mysql_real_escape_string($lastname));
>
> // Perform Query
> $result = mysql_query($query);
Yes, I know about BQ. And yes, certainly, if I were doing it, the
input would be validated, etc. But, the poster is clearly struggling
with the simplest elements of php/mysql and, to learn that part,
needed only the simplest answer to his question.
|
|
|
|
| Re: fetch items from a row [message #181302 is a reply to message #181294] |
Sat, 04 May 2013 09:56 |
SwissCheese
Messages: 17
Registered: December 2012
Karma: 0
|
Junior Member |
|
|
On 05/03/2013 06:15 PM, Richard Yates wrote:
> On Fri, 03 May 2013 17:38:08 -0400, Lew Pitcher
> <lpitcher(at)teksavvy(dot)com> wrote:
>
>> On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
>> wrote:
>>
>>> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
>>> wrote:
>>>
>>>>
>>>> How would I change the '42' value to a string value based upon the value
>>>> retrieved from using $_GET('number')?
>>>>
>>>>
>>>> <?php
>>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>>> if (!$result) {
>>>> echo 'Could not run query: ' . mysql_error();
>>>> exit;
>>>> }
>>>> $row = mysql_fetch_row($result);
>>>>
>>>> echo $row[0]; // 42
>>>> echo $row[1]; // the email value
>>>> ?>
>>>
>>> Your question is a little confusing. It sounds like you are GETting an
>>> integer and want to use it in the mysql query there the id is stored
>>> as a string in the database.
>>>
>>> $number = $_GET['number'];
>>> $result = mysql_query("select id, email from people where id='$number'
>>> ";
>>
>> Have you met little Bobby Tables (http://xkcd.com/327/) ?
>>
>> The PHP documentation webpages have a slightly better suggestion for this
>> sort of query...
>>
>> From http://www.php.net/manual/en/function.mysql-query.php
>> // Formulate Query
>> // This is the best way to perform an SQL query
>> // For more examples, see mysql_real_escape_string()
>> $query = sprintf("SELECT firstname, lastname, address, age FROM friends
>> WHERE firstname='%s' AND lastname='%s'",
>> mysql_real_escape_string($firstname),
>> mysql_real_escape_string($lastname));
>>
>> // Perform Query
>> $result = mysql_query($query);
>
> Yes, I know about BQ. And yes, certainly, if I were doing it, the
> input would be validated, etc. But, the poster is clearly struggling
> with the simplest elements of php/mysql and, to learn that part,
> needed only the simplest answer to his question.
>
Not only that but last time I checked, PHP/MySQL still doesn't allow
multi-statement queries.
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
|
| Re: fetch items from a row [message #181303 is a reply to message #181287] |
Sat, 04 May 2013 10:05 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 03/05/13 20:55, richard wrote:
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
$_GET['number'] IIRC...
>
> <?php
> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
> if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42
> echo $row[1]; // the email value
> ?>
$result = mysql_query("SELECT id,email FROM people WHERE id = '<?echo $_GET['number']?>'");
with usual caveats about SQL injection etc.
I tend to use - sprintf as in
$query=sprintf("SELECT id,email FROM people WHERE id = '%d'"
,$_GET['number'])
$result = mysql_query($query);
to make sure what's in there is only a decimal number.
-- Ineptocracy (in-ep-toc’-ra-cy) – a system of government where the
least capable to lead are elected by the least capable of producing, and
where the members of society least likely to sustain themselves or
succeed, are rewarded with goods and services paid for by the
confiscated wealth of a diminishing number of producers.
|
|
|
|
| Re: fetch items from a row [message #181304 is a reply to message #181291] |
Sat, 04 May 2013 10:06 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 03/05/13 22:00, Richard Yates wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
> wrote:
>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>>
>>
>> <?php
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>> if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>> }
>> $row = mysql_fetch_row($result);
>>
>> echo $row[0]; // 42
>> echo $row[1]; // the email value
>> ?>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
>
> But I also wonder why your id numbers in the database are stored as
> strings and not as integer primary keys (which they seem to be).
>
>
It makes no difference. SQL appears to work with either syntax on a
numeric field.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
| Re: fetch items from a row [message #181305 is a reply to message #181302] |
Sat, 04 May 2013 10:08 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 04/05/13 10:56, SwissCheese wrote:
> On 05/03/2013 06:15 PM, Richard Yates wrote:
>> On Fri, 03 May 2013 17:38:08 -0400, Lew Pitcher
>> <lpitcher(at)teksavvy(dot)com> wrote:
>>
>>> On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
>>> wrote:
>>>
>>>> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
>>>> wrote:
>>>>
>>>> >
>>>> > How would I change the '42' value to a string value based upon the
>>>> > value
>>>> > retrieved from using $_GET('number')?
>>>> >
>>>> >
>>>> > <?php
>>>> > $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>>> > if (!$result) {
>>>> > echo 'Could not run query: ' . mysql_error();
>>>> > exit;
>>>> > }
>>>> > $row = mysql_fetch_row($result);
>>>> >
>>>> > echo $row[0]; // 42
>>>> > echo $row[1]; // the email value
>>>> > ?>
>>>>
>>>> Your question is a little confusing. It sounds like you are GETting an
>>>> integer and want to use it in the mysql query there the id is stored
>>>> as a string in the database.
>>>>
>>>> $number = $_GET['number'];
>>>> $result = mysql_query("select id, email from people where id='$number'
>>>> ";
>>>
>>> Have you met little Bobby Tables (http://xkcd.com/327/) ?
>>>
>>> The PHP documentation webpages have a slightly better suggestion for
>>> this
>>> sort of query...
>>>
>>> From http://www.php.net/manual/en/function.mysql-query.php
>>> // Formulate Query
>>> // This is the best way to perform an SQL query
>>> // For more examples, see mysql_real_escape_string()
>>> $query = sprintf("SELECT firstname, lastname, address, age FROM
>>> friends
>>> WHERE firstname='%s' AND lastname='%s'",
>>> mysql_real_escape_string($firstname),
>>> mysql_real_escape_string($lastname));
>>>
>>> // Perform Query
>>> $result = mysql_query($query);
>>
>> Yes, I know about BQ. And yes, certainly, if I were doing it, the
>> input would be validated, etc. But, the poster is clearly struggling
>> with the simplest elements of php/mysql and, to learn that part,
>> needed only the simplest answer to his question.
>>
>
> Not only that but last time I checked, PHP/MySQL still doesn't allow
> multi-statement queries.
>
well it certainly allows the above.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
| Re: fetch items from a row [message #182438 is a reply to message #181289] |
Sun, 04 August 2013 17:06 |
Mladen Gogala
Messages: 13
Registered: December 2010
Karma: 0
|
Junior Member |
|
|
On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
> More likely:
>
> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
> $_GET['number'] . "'");
And the code like that is the basis for all SQL injection attacks. It's
so frequent that even comic strips have been written about it:
http://xkcd.com/327/
If you have such code in the client facing application, prepare to meet
little Bobby Tables.
--
Mladen Gogala
The Oracle Whisperer
http://mgogala.byethost5.com
|
|
|
|
| Re: fetch items from a row [message #182442 is a reply to message #182438] |
Sun, 04 August 2013 17:41 |
Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In article <pan(dot)2013(dot)08(dot)04(dot)17(dot)06(dot)01(at)gmail(dot)com>,
Mladen Gogala <gogala(dot)mladen(at)gmail(dot)com> wrote:
> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
>
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.
I didn't write the above.
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
|
| Re: fetch items from a row [message #182450 is a reply to message #182438] |
Sun, 04 August 2013 21:27 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 04/08/13 18:06, Mladen Gogala wrote:
> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.
>
>
avoided simply by :
$result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
$_GET['number'] ));
Using sprintf not only makes everything to look reasonable at code
inspection level it self validates stuff that should be a number and
gurantees only a number.
Likewise either escape strings or hexify them.
It isn't rocket science.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
| Re: fetch items from a row [message #182451 is a reply to message #182450] |
Sun, 04 August 2013 22:15 |
Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
In article <ktmgv5$bra$1(at)news(dot)albasani(dot)net>,
The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
Oh yeah, it turns out I did write that. Well duh. Mr Gogala can't have
read the thread, otherwise he would have seen that the point was to find
out WTF richard was babbling about wrt strings. Problems resulting from
lack of code sanitisation are second order at most where he's concerned.
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
|
| Re: fetch items from a row [message #182452 is a reply to message #181287] |
Mon, 05 August 2013 00:19 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Fri, 03 May 2013 15:55:58 -0400, richard wrote:
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
$_GET isn't a function, it's an associative array.
If you're trying to read the "number" parameter of a get request, you use:
$_GET['number'];
or:
$_GET["number"];
The type of brackets is very important, although in this specific case,
the type of quote marks is less important than it is at other times.
> <?php $result = mysql_query("SELECT id,email FROM people WHERE id =
> '42'"); if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42 echo $row[1]; // the email value ?>
If you only want the email, only request the email.
If you want to output the email address for a specific id number that
comes from a get request, which I think is what you mean:
<?php
$num = 0;
$if isset( $_GET["number"] ) $num = intval( $_GET["number"] );
$sql = "SELECT email FROM people WHERE id = '{$num}'";
$result = mysql_query( sql );
if ( !$result ) {
echo "mysql query \"{$sql}\" failed with: " . mysql_error() . "\n";
} else {
$rows = mysql_num_rows( $result );
if ( $rows != 1 ) {
echo "Unexpected result from sql query \"{$sql}\", {$rows} rows
returned when 1 row expected!\n";
} else {
$row = mysql_fetch_row($result);
if ( $row ) {
echo "Email address is: {$result[0]}\n";
} else {
echo "No email address found for that ID number\n";
}
}
}
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: fetch items from a row [message #182456 is a reply to message #182450] |
Mon, 05 August 2013 02:09 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/4/2013 5:27 PM, The Natural Philosopher wrote:
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id =
> '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
>
Which gives incorrect results if the value isn't an integer. It is much
better to validate the data and, if it is incorrect (i.e. in this case,
not an integer), provide an error message instead of incorrect results.
But then only a programmer would know that.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]