I noticed the use of SQL concatenation like:
$allowed_fields = array
( 'Site' =>$_POST['Site'], 'MedRec' => $_POST['MedRec'], 'Fname' =>
$_POST['Fname'], 'Lname' => $_POST['Lname'] ,
'Phone' => $_POST['Phone'] , 'Sex' => $_POST['Sex'] , 'Height' =>
$_POST['Height'] );
if(empty($allowed_fields))
{
echo "ouch";
}
$query = "select * from Intake3 where 1 ";
foreach ( $allowed_fields as $key => $val )
{
if ( (($val != '')) )
{
$query .= " AND ($key = '$val') ";
}
$result1 = mysqli_query($cxn, $query);
}
and like
$query2 = "select * from Visit3 where 1 AND (Site = 'AA') AND (MedRec =
$_GLOBALS[mdr])";
This is a "SQL Injection" security risk. There is a lot of material
on the web about this, e.g
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
I cannot strongly enough suggest you rewrite the app to mitigate
against this issue.
Also, set error_reporting = E_ALL & E_STRICT in your php.ini file to
help you identify some of your other code issues.
Chris
--
christopher.jo...@oracle.com
http://twitter.com/#!/ghrd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
