Posted by AnrDaemon on 10/24/07 14:21

Greetings, Jeff Gaines.
In reply to Your message dated Tuesday, October 23, 2007, 19:51:16,

JG> I have down-loaded several php scripts and am working my way through them
JG> as part of my learning process. I have noticed situations like this:

JG> mysql_query("DELETE FROM $table WHERE id=$id",$db);

JG> where scripts have been called from another script/page with a parameter -
JG> i.e. 'id' is a parameter that is not defined in the script before the
JG> above line is called.

JG> They don't work as they are but I can get the parameters by using
JG> $_GET['id'] or sometimes $_POST['id'].

It is bad, very bad idea to trust somethig entered by user.
Example?
You have code

"SELECT user_id FROM users WHERE user_name = '{$_POST['name']}' AND user_password = MD5('{$_POST['password']})"

Then I submit the form

name="admin' --"
password="any"

Et voila.. I'm authorized as admin of Your website.


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>

• Next in forum: Re: Question About Regular Expression
• Prev in forum: Re: php regular expression doesn't match
• Thread view: Re: Parameters in PHP

[Reply to this message]