|
|
Posted by shimmyshack on 03/21/07 17:22
On 21 Mar, 17:17, "shimmyshack" <matt.fa...@gmail.com> wrote:
> On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander...@tele2.se>
> wrote:
>
>
>
> > "shimmyshack" <matt.fa...@gmail.com> skrev i meddelandetnews:1174495509.099426.305700@e65g2000hsc.googlegroups.com...
>
> > > On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
> > > wrote:
> > >> I want to present a table with main data. Each revord will have a field
> > >> acting like a link to a new page with detailed data on the selected
> > >> record.
> > >> My problem is that I can't get the record-ID parsed into the link
> > >> parameter.
> > >> Whatever I do will just let my $_GET['id'] give me what is after the
> > >> equal-sign in the link prameter.
> > >> The code is:
> > >> while($row = mysql_fetch_object($result))
> > >> {
> > >> $mid = ($row->catid);
> > >> $name = ($row->catname);
> > >> echo '<tr>';
> > >> echo '<td >' . $mid . '</td>';
> > >> echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
> > >> echo '</tr>';
> > >> }
> > >> echo '</table>';
>
> > >> In this case the $_GET on advertinfor.php will only give me $mid.
> > >> I think the problem might be in the quotes but I also think I have tested
> > >> every possible combinaion without success.
> > >> Any solution or hint is very much appreciated.
>
> > > have you tested this combination?
> > > $mid = 'test';
> > > echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name . '</a></
> > > td>';
>
> > EUREKA
> > I have tested your suggestion now and it work.
> > Don't know how to thank you.
> > Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
> > frustration.
> > Again thanks for the hint
>
> cool, now make sure that you are secure by filtering the data that
> comes from your database,
> so I would actually do this:
>
> while($row = mysql_fetch_object($result))
> {
> $mid = urlencode($row->catid);
> $name = htmlentities($row->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinfo.php?id=' . $mid . '">' . $name .
> '</a></td>';
> echo '</tr>';}
>
> echo '</table>';
>
> unless you use utf-8 as the primary character set in which case use
> htmlentities('string',ENT_QUOTES,'UTF-8');
>
> It seems weird doesn't it, protecting your application against
> characters from your *own* database, but this is the world we live in.
oops! I forgot to filter the id too, you should run it though the
validator you use when you put it into your query, removing all
characters that are not numbers, making sure its a number, and that it
falls within the limits your database will expect.
So, as a minimum, before taking characters and inserting them into the
html markup, you have to make sure that they contain NO html or
javascript, or if they do that it is inert.
The use of htmlentities can effectively take any characters that can
be used to inject fraudulent code into your page and hijack it.
I suppose you could do
$mid = htmlentities($row->catid);
and make sure that you check the $_GET['id'] before you include it in
the query you run against your table.
Navigation:
[Reply to this message]
|