SELECT
`name`,
`content`,
`subtext`,
`isBlog`,
`isHome`
FROM `pageinfo` WHERE `name` = '{$_GET['page']}'
And I would obviously have like, index.php?page=Home, now for my question, are there any vulnerabilities for this?
If so, how do I prevent it?I think that only works with MSSQL or something. But as it is this would be vulnerable to SQL injection. You need to escape the data that goes in to the queryEcazS wrote:Could some do DROP TABLE table_name?
With mysql_real_escape_string I'm guessing..?jacek wrote:You need to escape the data that goes in to the query
if(isset($_GET['page'])){ //IF PAGE IS SET I.E. INDEX.PHP?PAGE=$NAME
$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));
//QUERY TO GET INFO FROM INDEX.PHP?PAGE=$NAME
$mysql->query("
SELECT
`name`,
`content`,
`subtext`,
`isBlog`,
`isHome`
FROM `pageinfo` WHERE `name` = '{$get_page}'
");
Since I'm stripping it before using it in the query, I tried having it above but that gives an undefined index.$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));should be the other way around.
$get_page = htmlentities(mysql_real_escape_string(((int)$_GET['page'])));Becouse someone can hack your database by sql injection.
You only need to do that when it is a number. And when you do that, there is no need for mysql_real_escape_string as well.irfanh94 wrote:Also you soholud put (int) before $_GET just llike this: