Topic awaiting preservation: how to write to database securely $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12035" title="Pages that link to Topic awaiting preservation: how to write to database securely" rel="nofollow" >Topic awaiting preservation: how to write to database securely\$

Author	Thread
evilclown01 Nervous Wreck (II) Inmate From: Insane since: Dec 2001	posted 02-05-2002 00:36 right now I am using this to read from my database code: <?php $db = mysql_connect("host", "username", "pass"); mysql_select_db("links", $db); function links_display () { global $db; $sql = "select * from links order by name"; $result = mysql_query($sql, $db); if($myrow = mysql_fetch_array($result)) { echo "<p>"; do { printf("<a href=\"%s\">%s</a> - %s<br>\r\n", $myrow["url"], $myrow["name"], $myrow["description"]); } while ($myrow = mysql_fetch_array($result)); echo "</p>"; } else { echo "<p>No links found!</p>"; } } function links_edit() { //for now links_display(); } ?> On my links page it calls links_display(). On my page to edit/delete links (in a directory protected by .htpasswd) i call links_edit(). How should I edit the links? I don't want to use links ( $PHP_SELF . "?id=somenumber" ) because I thought that was insecure even if I use urlencode(). Is the best method to use a form with post? I couldn't figure out how to implement it. If you don't have a sample, I think I can figure it out if you give me a little direction. evilclown01
jiblet Paranoid (IV) Inmate From: Minneapolis, MN, USA Insane since: May 2000	posted 02-05-2002 01:21 It's only insecure because someone can set that variable to whatever they want. But it's not likely to cause a security hole if you just use that variable in your SELECT ... WHERE id=$id statement. I guess technically someone could set $id to something that could be damaging by escaping the query. To prevent that, simply make sure that $id contains only an integer value. Overall, however, this is not a serious security hole. At least nowhere near as bad as if you were doing something like "include($id);"... Using a form with post would not make anything more secure, because the point is that it is still getting variable information from the browser which you can never trust. That said, you have to ask yourself if there are any possible values for the variable that would cause your script to return information that it shouldn't. Security is a pretty complicated issue, so you won't always know what techniques hackers will use, but that is the basic methodology to fix security holes. -jiblet

Topic awaiting preservation: how to write to database securely\$

Author

Thread

evilclown01
Nervous Wreck (II) Inmate

From:
Insane since: Dec 2001

posted 02-05-2002 00:36

right now I am using this to read from my database

code:

<?php



$db = mysql_connect("host", "username", "pass");

mysql_select_db("links", $db);



function links_display () {

  global $db;

  $sql = "select * from links order by name";

  $result = mysql_query($sql, $db);

  

  if($myrow = mysql_fetch_array($result)) {

    echo "<p>";

    do {

      printf("<a href=\"%s\">%s</a> - %s<br>\r\n", $myrow["url"], $myrow["name"], $myrow["description"]);

    } while ($myrow = mysql_fetch_array($result));

    echo "</p>";

  }

  else {

    echo "<p>No links found!</p>";

  }

}



function links_edit() {

  //for now

  links_display();

}



?>

On my links page it calls links_display(). On my page to edit/delete links (in a directory protected by .htpasswd) i call links_edit(). How should I edit the links? I don't want to use links ( $PHP_SELF . "?id=somenumber" ) because I thought that was insecure even if I use urlencode(). Is the best method to use a form with post? I couldn't figure out how to implement it.

If you don't have a sample, I think I can figure it out if you give me a little direction.

evilclown01

jiblet
Paranoid (IV) Inmate

From: Minneapolis, MN, USA
Insane since: May 2000

posted 02-05-2002 01:21

It's only insecure because someone can set that variable to whatever they want. But it's not likely to cause a security hole if you just use that variable in your SELECT ... WHERE id=$id statement.

I guess technically someone could set $id to something that could be damaging by escaping the query. To prevent that, simply make sure that $id contains only an integer value. Overall, however, this is not a serious security hole. At least nowhere near as bad as if you were doing something like "include($id);"...

Using a form with post would not make anything more secure, because the point is that it is still getting variable information from the browser which you can never trust. That said, you have to ask yourself if there are any possible values for the variable that would cause your script to return information that it shouldn't. Security is a pretty complicated issue, so you won't always know what techniques hackers will use, but that is the basic methodology to fix security holes.

-jiblet