PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Jun 22, 2018 7:46 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Wed May 23, 2018 6:41 am 
Offline
Forum Newbie

Joined: Wed May 23, 2018 6:38 am
Posts: 1
Is it safe using url to dispay products from a mysql database : mysite.com/page.php?products=1 etc or is this a sure fire way to mysql hacking? Could I just check if variable is an int or should I encrypt/decrypt the variable? 8O

I actually don't use the product variable in an sql statement I use:

Syntax: [ Download ] [ Hide ] [ Select ]
$p=0;
while ($row = mysql_fetch_array($productR, MYSQL_ASSOC)){

if ($p == $product)
{ }
$p+=1;
}




Yes its slower but it's only a small website. Any advice would be great thanks. :crazy:


Top
 Profile  
 
PostPosted: Wed May 23, 2018 5:36 pm 
Offline
Forum Newbie

Joined: Sun Jan 28, 2018 12:18 pm
Posts: 9
'Filter in, escape out'. If you haven't read it yet I'd suggest you look into Shiflett's Essential PHP Security: old, but clear, and still very relevant.

Regarding your implementation: I'd use PDO (http://php.net/manual/en/book.pdo.php), specifically '$prepared_statement = $pdo->prepare();' on all products going into the DB (filter in, to avoid people messing with your db). Then use htmlentities() on all the stuff I put on the frontend HTML (escape out, avoiding all kinds of headaches). This should take care of 99% of hackers/crackers, at least for products, if you don't (or may not in the future) have full control over what goes into them (e.g., APIs from other sites).

You might also want to '$all_products = $prepared_statement->fetchAll();', then work from $all_products (a PHP array, so you don't have to make so many connections to the DB). And you could give e.g., 25 products at a time, if you've got a lot of them.


Top
 Profile  
 
PostPosted: Wed May 23, 2018 11:56 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13564
Location: New York, NY, US
Yes it is safe to do "mysite.com/page.php?products=1", if you filter your input as protopatterns says. You need to make sure that for the "1" value that only safe values are allowed. That may mean only allowing integers. That also means that values are escaped before put into SQL. Again, protopatterns provides some direction for this.

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group