Hi there.. I need to pass variables to a page through an html link. I do it like this:
<A href="Extra/excelListing3.php?buildQuery=<?php echo $buildQuery ?>">Export</A>
where 'buildQuery' is the variable Iīm passing.
In the destination page, I capture it with $_GET and thatīs it.
I want to know if there is any way of doing it without showing the variables in the direction bar.
Hi Pablo,
The method you are using to send the query is not a very secure method (depending on how you run it.)
Based on the source code shown, I imagine you have something like this code in excelListing3.php:
$buildQuery = $_GET['buildQuery'];
somedb_query($buildQuery);
What this means is that someone who knows your database structure can type this into their web browser:
http://www.yourhost.com/excelListing3.php?buildQuery=DROP+DATABASE+yourdb
and your program will happily execute it.
Far better is to parameterize your queries and limit the possible input. By this I mean to define a few queries that can be executed, and give them numbers
<A href="Extra/excelListing3.php?queryType=export&queryVar1=<?php echo $queryVar1 ?>&queryVar2=<?php echo $queryVar2 ?>">Export</A>
switch ($_GET['queryType']) {
case 'export' :
$query = 'SELECT * FROM yourdb WHERE queryVar1="' . mysql_escape_string($_GET['queryVar1']) . '" AND queryVar2="' . mysql_escape_string($_GET['queryVar2']) . '"';
}
and so on. I am assuming here that you are using mysql, but simply substitute the appropriate escaping function for another database.
Web security hinges on ensuring that your allowed input is finite and verifiable.
Greg
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
