| Re: fetch items from a row [message #182450 is a reply to message #182438] |
Sun, 04 August 2013 21:27   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 04/08/13 18:06, Mladen Gogala wrote:
> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.
>
>
avoided simply by :
$result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
$_GET['number'] ));
Using sprintf not only makes everything to look reasonable at code
inspection level it self validates stuff that should be a number and
gurantees only a number.
Likewise either escape strings or hexify them.
It isn't rocket science.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]