FUDforum: comp.lang.php

Home » Imported messages » comp.lang.php » combobox

Show: Today's Messages :: Polls :: Message Navigator

Re: combobox [message #177320 is a reply to message #177316]

Fri, 09 March 2012 10:06

Erwin Moller
Messages: 228
Registered: September 2010

Karma:

Senior Member

On 3/8/2012 3:21 PM, ecu_jon wrote:
> i got it to work. thanks for forcing me to look again at what was
> getting POST 'ed on page5. once i saw the values were not exactly what
> i though, i could figure it out. i made the drop-down part of the box
> a new variable, and added an option for creating a new(using the
> textbox). then on page5 did a if drop-down != first option, set
> variable to Client. Just below
> if(isset($_POST['Client'])) $Client = $_POST['Client']; so it would
> overwrite the Client variable.
> did some testing, if i choose something else in drop-down nothing in
> textbox, it does as expected.
> if i choose first value and write in text box it adds new, as
> expected.
> and if you do both pick from drop-down (not first value) and write in
> text it chooses the drop-down value to write to db.
>
> now if we could just get a real combo-box option somehow ...

Please reread Jerry's warning.
You said nothing about avoiding SQL-injection.
If the code stays the same, you have just opened a security hole.

SQL-injection primer:

======== WRONG ===========
$firstname = $_POST["firstname"];
$favcolor = $_POST["favcolor"];
$SQL = "INSERT INTO tblprefs (firstname,color) VALUES ";
$SQL .= "('"& $firstname &"','"& $favcolor &"');";
some_db_execute ($SQL);

No, if $_POST["firstname"] contains something nice like "Joe" (without
the ") and $favcolor contains "blue" you'll get the following SQL:

INSERT INTO tblprefs (firstname,color) VALUES ('Joe','blue');

Which is fine. So if you test with Joe and blue you won't notice any
problems.
Now to SQL injection:

Suppose a funny guy posts the following:
$_POST["firstname"] contains: Joe
and
$_POST["favcolor"] contains:
ha!'); DELETE FROM tblprefs; INSERT INTO tblprefs (firstname,color)
VALUES ('Hacked by','whitehat

Now you SQL becomes:
INSERT INTO tblprefs (firstname,color) VALUES ('Joe','ha!');
DELETE FROM tblprefs;
INSERT INTO tblprefs (firstname,color) VALUES ('Hacked by','whitehat');

You don't want that SQL to execute, do you?
And all

Solution: ESCAPE YOUR STRINGS!
All databases offer functions for this.

Regards,
Erwin Moller

--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens

Report message to a moderator

[Message index]

		combobox By: ecu_jon on Wed, 07 March 2012 21:15
		Re: combobox By: Scott Johnson on Thu, 08 March 2012 06:28
		Re: combobox By: ecu_jon on Thu, 08 March 2012 13:27
		Re: combobox By: Jerry Stuckle on Thu, 08 March 2012 13:58
		Re: combobox By: ecu_jon on Thu, 08 March 2012 14:21
		Re: combobox By: Erwin Moller on Fri, 09 March 2012 10:06

Previous Topic:	which command to use
Next Topic:	Parse error: syntax error, unexpected T_VARIABLE

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Nov 22 19:42:04 GMT 2024

Total time taken to generate the page: 0.04514 seconds