--- David Otton <[EMAIL PROTECTED]> wrote:
> I can't be bothered to figure out a test case, but you apparently have
> a SQL injection risk with your code. You're assuming that the data from
> the client is correct.
This is a very good point. To highlight an example in the sample code you
provided (that David is referencing, I assume), look at the following:
> foreach ($_POST['accomodatieid'] as $Key => $Value)
> {
> $query = "INSERT INTO ttra (reisid, accomodatieid)
> VALUES ($id2, $Value)";
> $result = mysql_query ($query)
You're using values from $_POST (which can be anything, since it's data
supplied by a user, potentially a malicious one) directly in the SQL
statement that you send to MySQL. This grants a lot of power and
flexibility to the user, which is very dangerous.
In addition, you loop through $_POST, so that even unexpected data might
be used. This is even worse than expected data with an unexpected format.
To fix this, assign the data you find in $_POST to another variable (or
array) once you determine that it is valid. For example:
$safe = array();
if ($_POST['foo'] is valid data)
{
$safe['foo'] = $_POST['foo'];
}
Then, you can use the $safe array, and only a flaw in your data filtering
(whatever code you use for "is valid data" above) will create the same
security hole that you currently have.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
