On Mar 19, 2008, at 4:45 PM, George J wrote:
Hi Daniel,
WHOA! Passing the SQL query via a URL is a Very Bad Idea[tm]!
As a newbie I just have to ask why. I suspect you're going to say it
gives
the table and field names used in my database. I'm not really aware
of all
the possible avenues that this method might open up. It just feels
wrong to
include these details. This is the reason I've asked for help.
The form part of the script works fine so can we ignore that or does
it
impact on the pagination code that I'm having trouble with.
When the form calls the script it passes all the parameters that the
script
uses to construct a SELECT query. This works fine.
When the pagination calls the script it passes a new page number.
This works
fine but is where my limited experience lets me down. I need to pass
the
SELECT query, as is, back to the same script with a way to change
just the
LIMIT part of the query. Changing the LIMIT parameters simple lets me
display another page of the returned query. I can do this change
prior to
call but what options have I on including the query in my call.
Could I
camouflage the query parameters in an array for example?
Hi George,
As a relative newbie my self I think I understand what you are trying
to do.
The reason Dan asked for the code though is because when you show the
code we can easily point out what/where the issue is. If potental
attackers have access to your field names they can much easier try and
insert stuff into your database.
What I would probably do though is something along the lines of this:
//Always escape your data to make it a little harder on the hackers
$par1 = mysql_real_escape($_POST['parameter1']);
$par2 = mysql_real_escape($_POST['parameter2']);
$sql = "SELECT * from tablename where parameter1=".$par1." AND
parameter2=".$par2"": etc etc etc...
There is more to this, but this should get you started.
that way you can run the script calling the variables which were
POSTed instead of GETed so they won't be passed in the URL. It also
has the benefit of not revealing your field names.
Now all of that was typed from memory so please do check to make sure
it makes sense why it's working.
JP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
