Page 1 of 1
safe using ?product=1 in URL?
Posted: Sat Apr 10, 2010 12:02 pm
by wurdup
Is it safe using url to dispay products from a mysql database : mysite.com/page.php?products=1 etc or is this a sure fire way to mysql hacking? Could I just check if variable is an int or should I encrypt/decrypt the variable?
I actually don't use the product variable in an sql statement I use:
Code: Select all
$p=0;
while ($row = mysql_fetch_array($productR, MYSQL_ASSOC)){
if ($p == $product)
{ }
$p+=1;
}
Yes its slower but it's only a small website. Any advice would be great thanks.
Re: safe using ?product=1 in URL?
Posted: Sat Apr 10, 2010 1:12 pm
by Vestax159
Don't see why not (I'm no pro) but I think why this is a security no-no is because the end-user can change that $product variable. So if this was say, a $customer_number they could change it from 3 to 4 and be in someone else's account just by changing the url slightly. As it stands if they change it they just view different products in your database which worse that can do it show an outdated product or a product before it is releases.
Now for SEO purposes it is generally a bad idea. (use a url rewrite)
Re: safe using ?product=1 in URL?
Posted: Sat Apr 10, 2010 1:16 pm
by wurdup
the products are viewable by anyone who visits the website so changing the number isnt an issue really. Thanks
Re: safe using ?product=1 in URL?
Posted: Sat Apr 10, 2010 4:49 pm
by lunarnet76
a simple security is to do
Code: Select all
$_GET['product']=(int)$_GET['product'];
at the beginning of your file! it will be 100% secured!