Is this a sure fire way to mysql hacking?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
scullsold
Forum Newbie
Posts: 1
Joined: Wed May 23, 2018 6:38 am

Is this a sure fire way to mysql hacking?

Post by scullsold »

Is it safe using url to dispay products from a mysql database : mysite.com/page.php?products=1 etc or is this a sure fire way to mysql hacking? Could I just check if variable is an int or should I encrypt/decrypt the variable? 8O

I actually don't use the product variable in an sql statement I use:

Syntax: [ Download ] [ Hide ] [ Select ]
$p=0;
while ($row = mysql_fetch_array($productR, MYSQL_ASSOC)){

if ($p == $product)
{ }
$p+=1;
}




Yes its slower but it's only a small website. Any advice would be great thanks. :crazy:
protopatterns
Forum Newbie
Posts: 9
Joined: Sun Jan 28, 2018 11:18 am

Re: Is this a sure fire way to mysql hacking?

Post by protopatterns »

'Filter in, escape out'. If you haven't read it yet I'd suggest you look into Shiflett's Essential PHP Security: old, but clear, and still very relevant.

Regarding your implementation: I'd use PDO (http://php.net/manual/en/book.pdo.php), specifically '$prepared_statement = $pdo->prepare();' on all products going into the DB (filter in, to avoid people messing with your db). Then use htmlentities() on all the stuff I put on the frontend HTML (escape out, avoiding all kinds of headaches). This should take care of 99% of hackers/crackers, at least for products, if you don't (or may not in the future) have full control over what goes into them (e.g., APIs from other sites).

You might also want to '$all_products = $prepared_statement->fetchAll();', then work from $all_products (a PHP array, so you don't have to make so many connections to the DB). And you could give e.g., 25 products at a time, if you've got a lot of them.
User avatar
Christopher
Site Administrator
Posts: 13592
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Is this a sure fire way to mysql hacking?

Post by Christopher »

Yes it is safe to do "mysite.com/page.php?products=1", if you filter your input as protopatterns says. You need to make sure that for the "1" value that only safe values are allowed. That may mean only allowing integers. That also means that values are escaped before put into SQL. Again, protopatterns provides some direction for this.
(#10850)
Post Reply