Page 1 of 1

Question about GET

Posted: Tue Jun 07, 2011 10:39 am
by EcazS
If I have a query like this,
SELECT
     `name`,
     `content`,
     `subtext`,
     `isBlog`,
     `isHome`
FROM `pageinfo` WHERE `name` = '{$_GET['page']}'
And I would obviously have like, index.php?page=Home, now for my question, are there any vulnerabilities for this?
Could some do DROP TABLE table_name? :lol: If so, how do I prevent it?

Re: Question about GET

Posted: Tue Jun 07, 2011 11:45 am
by jacek
EcazS wrote:Could some do DROP TABLE table_name? :lol:
I think that only works with MSSQL or something. But as it is this would be vulnerable to SQL injection. You need to escape the data that goes in to the query

Re: Question about GET

Posted: Tue Jun 07, 2011 11:47 am
by EcazS
jacek wrote:You need to escape the data that goes in to the query
With mysql_real_escape_string I'm guessing..?

Re: Question about GET

Posted: Tue Jun 07, 2011 11:59 am
by jacek
EcazS wrote:With mysql_real_escape_string I'm guessing..?
yup 8-)

Re: Question about GET

Posted: Tue Jun 07, 2011 7:28 pm
by EcazS
Just to be on the safe side, there is no "harm" in doing this,
if(isset($_GET['page'])){ //IF PAGE IS SET I.E. INDEX.PHP?PAGE=$NAME

                $get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));

                //QUERY TO GET INFO FROM INDEX.PHP?PAGE=$NAME
                $mysql->query("
                    SELECT
                        `name`,
                        `content`,
                        `subtext`,
                        `isBlog`,
                        `isHome`
                    FROM `pageinfo` WHERE `name` = '{$get_page}'
                ");
Since I'm stripping it before using it in the query, I tried having it above but that gives an undefined index.

Re: Question about GET

Posted: Tue Jun 07, 2011 7:50 pm
by jacek
Yeah that's fine.

Allthough the finctions on this line
$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));
should be the other way around.

Re: Question about GET

Posted: Wed Jun 08, 2011 9:54 am
by irfanh94
Also you soholud put (int) before $_GET just llike this:
$get_page = htmlentities(mysql_real_escape_string(((int)$_GET['page'])));
Becouse someone can hack your database by sql injection.

Re: Question about GET

Posted: Wed Jun 08, 2011 10:42 am
by EcazS
It's not an integer so no. I'm also using the mysql_real_escape_string to help prevent against sql injection

Re: Question about GET

Posted: Wed Jun 08, 2011 10:44 am
by jacek
irfanh94 wrote:Also you soholud put (int) before $_GET just llike this:
You only need to do that when it is a number. And when you do that, there is no need for mysql_real_escape_string as well.