|
|
Posted by Lennart Anderson on 03/21/07 17:37
"shimmyshack" <matt.farey@gmail.com> skrev i meddelandet
news:1174497720.594680.242780@b75g2000hsg.googlegroups.com...
> On 21 Mar, 17:17, "shimmyshack" <matt.fa...@gmail.com> wrote:
>> On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander...@tele2.se>
>> wrote:
>>
>>
>>
>> > "shimmyshack" <matt.fa...@gmail.com> skrev i
>> > meddelandetnews:1174495509.099426.305700@e65g2000hsc.googlegroups.com...
>>
>> > > On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
>> > > wrote:
>> > >> I want to present a table with main data. Each revord will have a
>> > >> field
>> > >> acting like a link to a new page with detailed data on the selected
>> > >> record.
>> > >> My problem is that I can't get the record-ID parsed into the link
>> > >> parameter.
>> > >> Whatever I do will just let my $_GET['id'] give me what is after the
>> > >> equal-sign in the link prameter.
>> > >> The code is:
>> > >> while($row = mysql_fetch_object($result))
>> > >> {
>> > >> $mid = ($row->catid);
>> > >> $name = ($row->catname);
>> > >> echo '<tr>';
>> > >> echo '<td >' . $mid . '</td>';
>> > >> echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name .
>> > >> '</a></td>';
>> > >> echo '</tr>';
>> > >> }
>> > >> echo '</table>';
>>
>> > >> In this case the $_GET on advertinfor.php will only give me $mid.
>> > >> I think the problem might be in the quotes but I also think I have
>> > >> tested
>> > >> every possible combinaion without success.
>> > >> Any solution or hint is very much appreciated.
>>
>> > > have you tested this combination?
>> > > $mid = 'test';
>> > > echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name .
>> > > '</a></
>> > > td>';
>>
>> > EUREKA
>> > I have tested your suggestion now and it work.
>> > Don't know how to thank you.
>> > Now I can keep some of the hair on mu head instead of rubbing it o0f in
>> > deep
>> > frustration.
>> > Again thanks for the hint
>>
>> cool, now make sure that you are secure by filtering the data that
>> comes from your database,
>> so I would actually do this:
>>
>> while($row = mysql_fetch_object($result))
>> {
>> $mid = urlencode($row->catid);
>> $name = htmlentities($row->catname);
>> echo '<tr>';
>> echo '<td >' . $mid . '</td>';
>> echo '<td>' . '<a href="advertinfo.php?id=' . $mid . '">' . $name .
>> '</a></td>';
>> echo '</tr>';}
>>
>> echo '</table>';
>>
>> unless you use utf-8 as the primary character set in which case use
>> htmlentities('string',ENT_QUOTES,'UTF-8');
>>
>> It seems weird doesn't it, protecting your application against
>> characters from your *own* database, but this is the world we live in.
>
> oops! I forgot to filter the id too, you should run it though the
> validator you use when you put it into your query, removing all
> characters that are not numbers, making sure its a number, and that it
> falls within the limits your database will expect.
>
> So, as a minimum, before taking characters and inserting them into the
> html markup, you have to make sure that they contain NO html or
> javascript, or if they do that it is inert.
>
> The use of htmlentities can effectively take any characters that can
> be used to inject fraudulent code into your page and hijack it.
>
> I suppose you could do
> $mid = htmlentities($row->catid);
>
> and make sure that you check the $_GET['id'] before you include it in
> the query you run against your table.
>
Thanks.
Although I'm not yet too experienced in php I think I see what you mean and
will take this into consideration for my coming work. I'm trying to help my
daughter with a kind of advertisement and selling place for the Cayman
Islands.
Navigation:
[Reply to this message]
|