Question about GET

Ask about a PHP problem here.
Post Reply
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Question about GET

Post by EcazS »

If I have a query like this,
[syntax=sql]
SELECT
`name`,
`content`,
`subtext`,
`isBlog`,
`isHome`
FROM `pageinfo` WHERE `name` = '{$_GET['page']}'
[/syntax]

And I would obviously have like, index.php?page=Home, now for my question, are there any vulnerabilities for this?
Could some do DROP TABLE table_name? :lol: If so, how do I prevent it?
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about GET

Post by jacek »

EcazS wrote:Could some do DROP TABLE table_name? :lol:

I think that only works with MSSQL or something. But as it is this would be vulnerable to SQL injection. You need to escape the data that goes in to the query
Image
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about GET

Post by EcazS »

jacek wrote:You need to escape the data that goes in to the query


With mysql_real_escape_string I'm guessing..?
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about GET

Post by jacek »

EcazS wrote:With mysql_real_escape_string I'm guessing..?

yup 8-)
Image
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about GET

Post by EcazS »

Just to be on the safe side, there is no "harm" in doing this,
[syntax=php]if(isset($_GET['page'])){ //IF PAGE IS SET I.E. INDEX.PHP?PAGE=$NAME

$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));

//QUERY TO GET INFO FROM INDEX.PHP?PAGE=$NAME
$mysql->query("
SELECT
`name`,
`content`,
`subtext`,
`isBlog`,
`isHome`
FROM `pageinfo` WHERE `name` = '{$get_page}'
");[/syntax]
Since I'm stripping it before using it in the query, I tried having it above but that gives an undefined index.
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about GET

Post by jacek »

Yeah that's fine.

Allthough the finctions on this line

[syntax=php]$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));[/syntax]
should be the other way around.
Image
irfanh94
Posts: 26
Joined: Thu May 05, 2011 7:43 pm

Re: Question about GET

Post by irfanh94 »

Also you soholud put (int) before $_GET just llike this:

[syntax=php]$get_page = htmlentities(mysql_real_escape_string(((int)$_GET['page'])));[/syntax]

Becouse someone can hack your database by sql injection.
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about GET

Post by EcazS »

It's not an integer so no. I'm also using the mysql_real_escape_string to help prevent against sql injection
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about GET

Post by jacek »

irfanh94 wrote:Also you soholud put (int) before $_GET just llike this:

You only need to do that when it is a number. And when you do that, there is no need for mysql_real_escape_string as well.
Image
Post Reply