Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.lang.php > #108

Re: sql injection php code for secure my page

Newsgroups alt.comp.lang.php
Date 2022-09-22 07:16 -0700
References <54d34fcd$0$2175$65785112@news.neostrada.pl>
Message-ID <fde78fa6-98be-4a95-955e-91bba4a4cb5cn@googlegroups.com> (permalink)
Subject Re: sql injection php code for secure my page
From "He, who travels time to time" <he12091983@gmail.com>

Show all headers | View raw

Hey... Want to talk? Call me.... My telephone number >>>>

(+372) 56330687


Netman kirjutas Neljapäev, 5. veebruar 2015 kl 13:11:10 UTC+2:
> Hello again! 
> 
> I know that to prevent from sql injection I have to check the parameters 
> getting i.e. from $_GET variable 
> 
> I have questions: 
> 
> 1) Could you provide me sensitive words on which I should stop running the 
> following/the next code? 
> 2) 
> 
> I have written a function which check $_GET variable on such words as 
> SELECT, DROP, DELETE, JAVASCRIPT, 
> but it doesn`t work when the user sends a more than one dimensional array 
> i.e. $_GET["action"][0] variable or $_GET["action"][0][0] etc 
> 
> so : 
> a) http://www.domain.com/index.php?action=about-me 
> my function doesn`t return any exception and the page is displayed 
> 
> and the following query is running and shows data: 
> $sql="SELECT * FROM table WHERE cat='".$_GET["action"]."'"; 
> 
> b) http://www.domain.com/index.php?action=JAVASCRIPT 
> my function perfectly handles such exception and the page is not displayed 
> 
> and the following query is not running: 
> $sql="SELECT * FROM table WHERE cat='".$_GET["action"]."'"; 
> 
> becasue the user sends JAVASCRIPT value for $_GET form variable. 
> 
> b) http://www.domain.com/index.php?action[0]=JAVASCRIPT 
> my function doesn`t handle such exception and the page is displayed 
> 
> and the following query is running and but it doesn`t show any data: 
> $sql="SELECT * FROM table WHERE cat='".$_GET["action"]."'"; 
> because 
> $_GET["action"] variable is an array in this case 
> 
> Questions: 
> 3) Do I have to create service in my parameter checking function when the 
> $_GET is an array 
> like this $_GET["action][0], $_GET["action"][0][0] etc.... 
> 4) Is it possible to run sql injection code when the quest is like this: 
> 
> $sql="SELECT * FROM table WHERE cat='".$_GET["action"]."'"; 
> 
> and $_GET["action"] is an Array. Do I have to secure for such situation? 
> 
> Could you be so kind and answer my question? 
> 
> Kindest regards 
> Marcin 
> 
> 
> --- 
> Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. 
> http://www.avast.com

Back to alt.comp.lang.php | Previous | Next | Find similar

Thread

Re: sql injection php code for secure my page "He, who travels time to time" <he12091983@gmail.com> - 2022-09-22 07:16 -0700

csiph-web