| Re: fetch items from a row [message #182451 is a reply to message #182450] |
Sun, 04 August 2013 22:15   |
Tim Streater
Messages: 328
Registered: September 2010
Karma:
|
Senior Member |
|
|
In article <ktmgv5$bra$1(at)news(dot)albasani(dot)net>,
The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
Oh yeah, it turns out I did write that. Well duh. Mr Gogala can't have
read the thread, otherwise he would have seen that the point was to find
out WTF richard was babbling about wrt strings. Problems resulting from
lack of code sanitisation are second order at most where he's concerned.
--
Tim
"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]