BetterPHP

If I have a query like this,
[syntax=sql]
SELECT
`name`,
`content`,
`subtext`,
`isBlog`,
`isHome`
FROM `pageinfo` WHERE `name` = '{$_GET['page']}'
[/syntax]

And I would obviously have like, index.php?page=Home, now for my question, are there any vulnerabilities for this?
Could some do DROP TABLE table_name? If so, how do I prevent it?

EcazS wrote:Could some do DROP TABLE table_name?

I think that only works with MSSQL or something. But as it is this would be vulnerable to SQL injection. You need to escape the data that goes in to the query

jacek wrote:You need to escape the data that goes in to the query

With mysql_real_escape_string I'm guessing..?

EcazS wrote:With mysql_real_escape_string I'm guessing..?

yup

Just to be on the safe side, there is no "harm" in doing this,
[syntax=php]if(isset($_GET['page'])){ //IF PAGE IS SET I.E. INDEX.PHP?PAGE=$NAME

$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));

//QUERY TO GET INFO FROM INDEX.PHP?PAGE=$NAME
$mysql->query("
SELECT
`name`,
`content`,
`subtext`,
`isBlog`,
`isHome`
FROM `pageinfo` WHERE `name` = '{$get_page}'
");[/syntax]
Since I'm stripping it before using it in the query, I tried having it above but that gives an undefined index.

Yeah that's fine.

Allthough the finctions on this line

[syntax=php]$get_page = htmlentities(mysql_real_escape_string(($_GET['page'])));[/syntax]
should be the other way around.

Also you soholud put (int) before $_GET just llike this:

[syntax=php]$get_page = htmlentities(mysql_real_escape_string(((int)$_GET['page'])));[/syntax]

Becouse someone can hack your database by sql injection.

It's not an integer so no. I'm also using the mysql_real_escape_string to help prevent against sql injection

irfanh94 wrote:Also you soholud put (int) before $_GET just llike this:

You only need to do that when it is a number. And when you do that, there is no need for mysql_real_escape_string as well.