PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

In Case You Missed It...The Week of November 7th, 2005
CSVtoXLS: A Utility to Convert CSV data into XLS Spreadsheets
Creating your own logfile
In Case You Missed It...The Week of February 20, 2006
Using Ajax with PHP to Create an Interactive Web Page

Re: [PHP] How to improve sql query security using php? From: Richard Creech (richardc <email protected>)
Date: 09/30/00

Next message: LDL Enterprise: "[PHP] <form method="post" action="<?php echo $PHP_SELF?>">"
Previous message: bryan brown: "[PHP] creating mysql table"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 03:41 AM 9/30/00 -0700, Mike Glover of <mpg4 <email protected>> eloquently postulated:
<a very BIG snip was here>
>In short, what's
>stopping an attacker from running:
>
> http://your.page/script.php?userstable=secrettable&emailfield= code
>for *>
>
>to access your secret data? Best of luck.
>
>-mike

and Cary thus sayth:

"You should use substr or preg_replace to escape or get rid of
characters you know you don't want. The big ones you will want to
get rid of, or escape are of course \, _, %, " and ' (the
apostrophe). You can use addslashes to escape ", ' and \.

Cary
>_____________________________________

Ahhhh! Yes, this is what I need help with ... Thanks to Mike Glover of <mpg4 <email protected>> and also thanks to Cary Collett <cary <email protected>> for their kind and expeditious help.

So, if I use a specified name for the field, and a CONSTANT for the table name, and use quotemeta($myvar) individually on all the form field values to be passed to the sql select, and then used:

$query = verifyData($query);

where this function is declared:

How could the combination of quotemeta() and verifyData() , or verifyData itself be improved for:

SELECT email, password FROM TABLENAME WHERE email ='$loginemail'

Or have we arrived at a secure state - I still don't see the fix for the original:
http://your.page/script.php?userstable=secrettable&emailfield= code
for *> ???

Richard Creech
http://dreamriver.com
richardc <email protected>
Phone 250.744.3350 Pacific Time

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: php-general-unsubscribe <email protected>
For additional commands, e-mail: php-general-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: LDL Enterprise: "[PHP] <form method="post" action="<?php echo $PHP_SELF?>">"
Previous message: bryan brown: "[PHP] creating mysql table"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]