On Fri, Jul 04, 2003 at 10:26:47AM +1000, JacobRhoden wrote: > Even though this is getting waaay off topic... > > On Thu, 3 Jul 2003 07:46 pm, Matt Heath wrote: > > Ever seen something like this : > > $r = mysql_execute("select * from table_1 where id=$_GET[id];"); > > Actually people do do the same thing and perl and you know it :P Both perl and > php support calling sql with parameters using ? to insert variables. If > someone does not know what language to use at all, I would suggest php simply > because its a good, quick, easy language to get started in without too much > difficulty. (In lots of ways including not needing to understand cgi > variables, and what the heck Content-type: text/html\n\n is, or learning how > to include perl librarys to do all that stuff for you!)
You're missing the point. $_GET[id] is one of the arguments used when calling the PHP and as such is completely under the control of an external user. This permits all sorts of shenanigans that generally go under the name "SQL injection attacks". For instance, in this case, if you could arange for the $_GET[id] variable to have the value 'joe OR 1=1' then you could dump out the whole of table_1. I'm sure that with a little thought you could come up with something much more damaging. Exactly the same problem occurs with perl CGI --- any time you take user input in an application, you've got to assume that there will be hostile intent, and sanitize the input accordingly. The basic step in sanitization is to decide what characters are permitted in the input, and filter out everything else. You probably want to limit the length of the input, and (depending on the precise circumstances) there may be other criterea you can apply. Only then should you pass the input into your SQL select statement. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature