|
Posted by Christoph Burschka on 11/14/06 08:39
Michael Fesser schrieb:
> .oO(kenoli)
>
>
>>So, suppose I wanted to derive something like:
>>
>>WHERE $key1=$value1 AND $key2=$value2 . . .
>>
>
>>from my $_POST?
>
>>How would I construct that?
>
>
> You should start with thinking about SQL injection. Using user-submitted
> values in a database query without any validation is dangerous.
>
> Micha
Indeed, SQL injection is a pretty big risk if you don't know about it,
but it's very easy to prevent.
Until you take the time to write a good validation function, the
following two things should be safe enough:
- Removing single ' quotes from the values
- Setting an array of the parameter names you will use, and only iterate
over these keys instead of all post parameters.
$keys = array('first_name','last_name','address');
$where = array();
foreach ($keys as $key) {
if ($_POST[$key]) {
$_POST['key']=str_replace("'","",$_POST['key'])
$where[]="$key='".$_POST['key']."'";
}
}
$sql = "... WHERE ".implode(" AND ",$where).";";
This will firstly ensure that nobody injects stuff using single quotes
in the value field, and secondly that nobody can use different field
names than are provided. Even leaving aside the risk of injection, it
will make the page much less prone to crashing with an ugly error message.
----
(Note: Nobody's ever seriously tried to break my site, so I don't know
if this is perfectly secure. If there's a loophole, please point it out...)
[Back to original message]
|