mailing list archives
From: "Steve Hillier" <securityfocus () mastermindtoys com>
Date: Mon, 20 Jun 2005 11:37:29 -0400
This isn't safe at all.
Just try inserting ' OR 1=1; # into your $DATA->id and you'll see.
You should be using mysql_escape_string() to sanitise your input strings
if you're going to be using them as-is inside SQL statements. You should
also consider using substr() to chop all but the length of string you
From: Pablo Fernández [mailto:newsclient () teamq info]
Sent: Friday, June 17, 2005 7:29 p
To: security-basics () securityfocus com
I been coding for the last couple of days with PHP+MySQL and
I've been relaying A LOT in magic_quotes. I am wondering if
it's (at least for the
moment) a safe thing to do. For example, consider the following code
$GDATA = (object) $_GET;
$PDATA = (object) $_POST;
if ($GDATA) $DATA = $GDATA;
else $DATA = $PDATA;
$q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'");
How safe is this?
I would appreciate hints & thoughts (TM)