PHP Developers Network
http://forums.devnetwork.net/

Is this a sure fire way to mysql hacking?
http://forums.devnetwork.net/viewtopic.php?f=1&t=147807
Page 1 of 1

Author:  scullsold [ Wed May 23, 2018 6:41 am ]
Post subject:  Is this a sure fire way to mysql hacking?

Is it safe using url to dispay products from a mysql database : mysite.com/page.php?products=1 etc or is this a sure fire way to mysql hacking? Could I just check if variable is an int or should I encrypt/decrypt the variable? 8O

I actually don't use the product variable in an sql statement I use:

Syntax: [ Download ] [ Hide ] [ Select ]
$p=0;
while ($row = mysql_fetch_array($productR, MYSQL_ASSOC)){

if ($p == $product)
{ }
$p+=1;
}




Yes its slower but it's only a small website. Any advice would be great thanks. :crazy:

Author:  protopatterns [ Wed May 23, 2018 5:36 pm ]
Post subject:  Re: Is this a sure fire way to mysql hacking?

'Filter in, escape out'. If you haven't read it yet I'd suggest you look into Shiflett's Essential PHP Security: old, but clear, and still very relevant.

Regarding your implementation: I'd use PDO (http://php.net/manual/en/book.pdo.php), specifically '$prepared_statement = $pdo->prepare();' on all products going into the DB (filter in, to avoid people messing with your db). Then use htmlentities() on all the stuff I put on the frontend HTML (escape out, avoiding all kinds of headaches). This should take care of 99% of hackers/crackers, at least for products, if you don't (or may not in the future) have full control over what goes into them (e.g., APIs from other sites).

You might also want to '$all_products = $prepared_statement->fetchAll();', then work from $all_products (a PHP array, so you don't have to make so many connections to the DB). And you could give e.g., 25 products at a time, if you've got a lot of them.

Author:  Christopher [ Wed May 23, 2018 11:56 pm ]
Post subject:  Re: Is this a sure fire way to mysql hacking?

Yes it is safe to do "mysite.com/page.php?products=1", if you filter your input as protopatterns says. You need to make sure that for the "1" value that only safe values are allowed. That may mean only allowing integers. That also means that values are escaped before put into SQL. Again, protopatterns provides some direction for this.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/