Page 1 of 1

[solved] undefined & parse error

Posted: Wed Jul 04, 2007 8:50 am
by m2babaey
Hi
2 questions. ( they may be non-related)
1.the code below lists the articles in a specific section ( part of the site ):

Code: Select all

<?
include 'global.php';
if (isset($_GET['id'])) {
$section_id = $_GET['id'];
$sql = "SELECT * FROM articles WHERE section = '$section_id' ORDER BY id";
$results = mysql_query($sql) or die (mysql_error());
$row = mysql_fetch_array($results);
include 'page.php';
}
?>
when I enter the url "http://127.0.0.1/Takfekr/htdocs/section.php?id=0" it sends a parse error like this:
Parse error: parse error in g:\programs(2)\easyphp1-8\www\takfekr\htdocs\section.php on line 10
do you think it's because there is no "else" for the if statement?
2. I am using a code that will include a page for 2 different purposes. I mean section.php includes it and read.php does as well. I named the result of the sql queries related to each of them different, $result for read.php and $results for section.php
Then I used if statement like this:

Code: Select all

if ($result){
//now the codes related for read.php goes here
} else{
//this means no sql query has been done named $result, so it assumes the page has been called for section.php
}
Of course using the code above will send a Notice like this:
Notice: Undefined variable: result in g:\programs(2)\easyphp1-8\www\takfekr\htdocs\articlecontent.php on line 3
I can use different pages to solve it, but is there another solution (except turning off notices)
thanks

Posted: Wed Jul 04, 2007 8:58 am
by miro_igov
to prevent the notice use

Code: Select all

if(isset($result)) ..................
For the other error you need to post section.php

Posted: Wed Jul 04, 2007 9:03 am
by aceconcepts
have you tried alternate urls as the value submitted?

Posted: Wed Jul 04, 2007 9:06 am
by m2babaey
Thanks
section.php was the first code
that problem does not happen for id=50 ( if you meant this by alternate url)

Posted: Wed Jul 04, 2007 9:20 am
by feyd
I would suggest reading up on SQL injection.

Posted: Wed Jul 04, 2007 9:24 am
by m2babaey
problem got solved
feyd wrote:I would suggest reading up on SQL injection.
why?
is that related and how?
thanks :P

Posted: Wed Jul 04, 2007 9:25 am
by feyd
Currently, your script has a gaping hole allowing it.

Posted: Wed Jul 04, 2007 1:05 pm
by m2babaey
Thanks.
I have started studying more on sql injection.
But could you please be more specific because I'm going to upload my site in the next few days and need to act faster. I thought PHP is safe when there is no session and login

Posted: Wed Jul 04, 2007 1:21 pm
by volka
e.g. someone calls your script with ?id=%27+or+%27%27%3D%27, then $section_id is ' or ''=' and your sql statement becomes
SELECT * FROM articles WHERE section = '' or ''='' ORDER BY id
which matches all records.
mysql_real_escape_string() marks characters like ' as beeing payload data by prepending them with \

see http://de2.php.net/security.database.sql-injection and http://de2.php.net/mysql_real_escape_string

Posted: Wed Jul 04, 2007 1:24 pm
by superdezign

Code: Select all

page.php?id='; DROP DATABASE dbName; SELECT * FROM articles WHERE ''='

Posted: Wed Jul 04, 2007 10:34 pm
by m2babaey
Oh yes. I didn't pay enough attention at first.:oops: I remembered I am querying the database then though :P
How about using this function:

Code: Select all

strip_tags($_GET['id']);
will that work as well as mysql_real_scape_string or works better? :?:

Posted: Wed Jul 04, 2007 10:42 pm
by feyd
strip_tags() won't protect you much. mysql_real_escape_string() protects you a fair bit more, but it can't protect you against data differences or poor SQL.

Posted: Thu Jul 05, 2007 2:20 am
by m2babaey
I think I should use a combination of strip_tags, get_magic_quotes, addslashes
what more in your opinion?
what will happen about:
but it can't protect you against data differences or poor SQL.
then?
thanks

Posted: Thu Jul 05, 2007 7:41 am
by feyd
m2babaey wrote:I think I should use a combination of strip_tags, get_magic_quotes, addslashes
Generally, no.
m2babaey wrote:what more in your opinion?
what will happen about:
but it can't protect you against data differences or poor SQL.
then?
You need to apply filtering, cleaning, and so forth, specific to the field types. Numbers need to be forced to numbers, dates need to be in the proper format, etc etc.