|
Posted by Rik on 02/21/07 10:17
Peter Fox <peterfox@eminent.demon.co.uk.not.this.bit.no.html> wrote:
>> And the receiving script would do something like this:
>>
>> <?php
>> $book_id =3D intval($_GET['recordnum']);
>> $bookresult =3D mysql_query('SELECT * FROM `book` WHERE `id` =3D
>> '.$book_id);
>> if(mysql_num_rows($bookresult) > 0){
>> $book =3D mysql_fetch_assoc($bookresult);
//
>> }
>> } else {
>> echo 'Book not found in database.';
>> }
>> ?>
>
> Ask why
> $book_id =3D intval($_GET['recordnum']);
> is used early on in the script and is it there just to 'keep things =
> tidy'? What naughty things could happen if it was just
> $book_id =3D $_GET['recordnum'];
Google SQL injection.
> Supplementary question: What would you do here if you were getting a =
=
> string instead of a number to use in your SQL?
If possible prepared statements, else mysql_real_escape_string();
> Another supplementary question: Why would it be a _bad_ idea to 'be =
> helpful' with the 'not found' message by echoing back the input as =
> follows:
> $recno =3D GET['recordnum'];
> print("Sorry we could not find your request for $recno");
Because it could containt evil code. I think you know the answers to the=
se =
already :P. It's far beyond the scope of the question to go in great =
detail about security and database handling, as it was local, I was only=
=
offering a starting point.
-- =
Rik Wasmus
Navigation:
[Reply to this message]
|