|
Posted by Jerry Stuckle on 01/30/08 12:55
Gilles Ganault wrote:
> On Tue, 29 Jan 2008 20:53:29 -0500, Jerry Stuckle
> <jstucklex@attglobal.net> wrote:
>> And adding a checkbox isn't hard at all. But don't just use
>> the primary key id in the checkbox unless you have some other way
>> to protect your page from hackers.
>
> The definitive wrong way to do things:
> ============
> <?php
>
> switch ($status) {
> case "delete":
> foreach ($item as $bit) {
> $query = "DELETE FROM " . $table . " WHERE id=" . $bit;
> $result = mysql_query($query) or die("Query failed: " .
> mysql_error());
> }
> break;
>
> default:
> echo "<form method=post>";
> echo "<input type=checkbox name=item[] value=1>"
> echo "<input type=checkbox name=item[] value=2>"
> echo "<input type=hidden name=status value=delete>";
> echo "<input type=submit value=Delete>";
> echo "</form>";
>
> }
> ?>
> ============
>
> BTW, is there some book like "The 50 pitfalls of writing web apps in
> PHP" that would take real-life newbie errors like the above, explain
> why they're wrong, and the safe way to rewrite them?
>
> Thanks.
>
Well, let's see. First of all, you should never use "or die()" in
production code. It's fine for testing, but you need a graceful
recovery in production. You do not want your page to stop in the middle
of loading with "Query failed" or a message from MySQL in the window!
You're just deleting rows, without validating the user has permission to
delete the row. This would be fine for an admin interface, where access
is restricted and the admin person can delete any row. However, it is
not good for a public interface.
And always validate any data from your user. For instance, what would
happen if I submitted a form to your page with:
<input type=checkbox name=item[] value="1 OR 2=2">
Your query would end up as:
DELETE FROM mytable WHERE id=1 OR 2=2
And guess what would be deleted? :-)
Not sure what else they're talking about.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|