subject:"\[PHP\] Protecting Queries"

[PHP] Protecting Queries

2002-11-17 Thread Stephen




Since day one of me doing MySQL stuff in PHP, I've always set 
up my query as a variable then put it into the query function such as 
this:

 $query = "SELECT * FROM bobstuff WHERE 
id='1'";
 $result = mysql_query($query, 
$connection);

I've just come aware of the security risks of this. How could 
I make it so the $query variable isn't editable from the URL? Should I turn 
register_globals off?
Thanks,Stephen Cratonhttp://www.melchior.us

"Life is a gift from God. Wasting it is like destroying a gift you got from 
the person you love most." -- http://www.melchior.us
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Jonathan Sharp

the issue isn't with query, it's with variables used within queries...

example:
$id = $_GET['id'];
$query = SELECT * FROM mytable WHERE id=$id;

and if you call this page as (or something like this):
?id='' OR 1=1

You can alter the query

-js


Stephen wrote:
 Since day one of me doing MySQL stuff in PHP, I've always set up my
 query as a variable then put it into the query function such as this:
  
 $query = SELECT * FROM bobstuff WHERE id='1';
 $result = mysql_query($query, $connection);
  
 I've just come aware of the security risks of this. How could I make it
 so the $query variable isn't editable from the URL? Should I turn
 register_globals off?
 
 Thanks,
 Stephen Craton
 http://www.melchior.us
  
 Life is a gift from God. Wasting it is like destroying a gift you got
 from the person you love most. -- http://www.melchior.us
 




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Rasmus Lerdorf

No, that it fine.  User-supplied data can not override a variable defined
directly in your script like that regardless of the register_globals
setting.

-Rasmus

On Sun, 17 Nov 2002, Stephen wrote:

 Since day one of me doing MySQL stuff in PHP, I've always set up my query as a 
variable then put it into the query function such as this:

 $query = SELECT * FROM bobstuff WHERE id='1';
 $result = mysql_query($query, $connection);

 I've just come aware of the security risks of this. How could I make it so the 
$query variable isn't editable from the URL? Should I turn register_globals off?

 Thanks,
 Stephen Craton
 http://www.melchior.us

 Life is a gift from God. Wasting it is like destroying a gift you got from the 
person you love most. -- http://www.melchior.us


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Stephen

What I meant was something like this:

  The user types in the URL http://myplace/script.php?query=DELTE * FROM
table WHERE id=1.
  The query is overwritten and the section is deleted...

Is that possible?


 - Original Message -
 From: Rasmus Lerdorf [EMAIL PROTECTED]
 To: Stephen [EMAIL PROTECTED]
 Cc: PHP List [EMAIL PROTECTED]
 Sent: Sunday, November 17, 2002 3:46 PM
 Subject: Re: [PHP] Protecting Queries


  No, that it fine.  User-supplied data can not override a variable
defined
  directly in your script like that regardless of the register_globals
  setting.
 
  -Rasmus
 
  On Sun, 17 Nov 2002, Stephen wrote:
 
   Since day one of me doing MySQL stuff in PHP, I've always set up my
 query as a variable then put it into the query function such as this:
  
   $query = SELECT * FROM bobstuff WHERE id='1';
   $result = mysql_query($query, $connection);
  
   I've just come aware of the security risks of this. How could I make
it
 so the $query variable isn't editable from the URL? Should I turn
 register_globals off?
  
   Thanks,
   Stephen Craton
   http://www.melchior.us
  
   Life is a gift from God. Wasting it is like destroying a gift you got
 from the person you love most. -- http://www.melchior.us
 
 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Stephen

Oh, right, thanks!

- Original Message -
From: Rasmus Lerdorf [EMAIL PROTECTED]
To: Stephen [EMAIL PROTECTED]
Sent: Sunday, November 17, 2002 4:05 PM
Subject: Re: [PHP] Protecting Queries

 No, like I said, since you set $query in your script, whatever the user
 passes in is overwritten.

 On Sun, 17 Nov 2002, Stephen wrote:

  What I meant was something like this:

The user types in the URL http://myplace/script.php?query=DELTE * FROM
  table WHERE id=1.
The query is overwritten and the section is deleted...

  Is that possible?

  - Original Message -
  From: Rasmus Lerdorf [EMAIL PROTECTED]
  To: Stephen [EMAIL PROTECTED]
  Cc: PHP List [EMAIL PROTECTED]
  Sent: Sunday, November 17, 2002 3:46 PM
  Subject: Re: [PHP] Protecting Queries

   No, that it fine.  User-supplied data can not override a variable
defined
   directly in your script like that regardless of the register_globals
   setting.

   -Rasmus

   On Sun, 17 Nov 2002, Stephen wrote:

Since day one of me doing MySQL stuff in PHP, I've always set up my
  query as a variable then put it into the query function such as this:

$query = SELECT * FROM bobstuff WHERE id='1';
$result = mysql_query($query, $connection);

I've just come aware of the security risks of this. How could I make
it
  so the $query variable isn't editable from the URL? Should I turn
  register_globals off?

Thanks,
Stephen Craton
http://www.melchior.us

Life is a gift from God. Wasting it is like destroying a gift you
got
  from the person you love most. -- http://www.melchior.us

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Protecting Queries

2002-11-17 Thread Alnisa Allgood

At 3:31 PM -0500 11/17/02, Stephen wrote:

Since day one of me doing MySQL stuff in PHP, I've always set up my 
query as a variable then put it into the query function such as this:

$query = SELECT * FROM bobstuff WHERE id='1';
$result = mysql_query($query, $connection);

I've just come aware of the security risks of this. How could I make 
it so the $query variable isn't editable from the URL? Should I turn 
register_globals off?



Typically speaking you should always use the PHP 
mysql_escape_string() function, when accepting data from users. 
While, I'm not certain its relevant in your situation, since your 
variable is predefined. But this would be of importance for any forms 
you would have. To use you just add some code such as:

	$usrName=mysql_escape_string($usrName);

one for each field on a form, than you can do

	$result=mysql_result(SELECT * FROM abc WHERE 
usrName='$usrName', $gDB);

This will protect you from users who enter Select, DROP, and other 
statements in your data field.

ALnisa
--
  .
   Alnisa  Allgood
   Executive Director
   Nonprofit Tech
   (ph) 415.337.7412  (fx) 415.337.7927
   (url)  http://www.nonprofit-techworld.org
   (url)  http://www.nonprofit-tech.org
   (url)  http://www.tech-library.org
  .
   Nonprofit Tech E-Update
   mailto:[EMAIL PROTECTED]
  .
   transforming nonprofits through technology
  .


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Protecting Queries

Re: [PHP] Protecting Queries

Re: [PHP] Protecting Queries

Re: [PHP] Protecting Queries

Re: [PHP] Protecting Queries

Re: [PHP] Protecting Queries

6 matches

Site Navigation

Mail list logo

Footer information