Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Mar 2014
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Riks of using get method in MYSQL queries

    Hi, What are the risks of using:
    PHP Code:
                            $query="SELECT*FROM'".$_GET['value']."';
                $result=mysql_query($query);

    //'value' comes from link ; <a>href"
    example.com/?value=1"</a>



    //[B]Insted of [/B]           $query="
    SELECT*FROM value ";
                $result=mysql_query($query);

    //'value'  comes from code 

    Thanks

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,474
    Thanks
    63
    Thanked 537 Times in 524 Posts
    Lots.

    You're allowing the user to input their own query. Whats to stop me adding " users; drop table accounts" ?

    Worse.. i could do this: " users; update users set password = 'password' where user_name = 'admin'

    Suddenly your admin account has its password reset and you've been hacked.

    Granted mysql no longer allows more than one query to be run however you still need to code correctly for good practice and in case you ever end up using an older mysql (or other database) engine.

    You should always use mysql_real_escape_string() for information supplied by the user which is to go into your SQL statement. You should really switch to mysqli too and avoid using mysql all together.
    I can't really think of anything to write here now...

  • #3
    wlf
    wlf is offline
    New Coder
    Join Date
    Aug 2012
    Posts
    61
    Thanks
    0
    Thanked 2 Times in 2 Posts
    As tangoforce already said you should always validate user input... you should not trust the user to do the right thing.

    Another builtin function I would recommend for user input validation (besides the already mentioned mysqli_real_escape_string) is PHP: preg_match - Manual
    A good programmer is someone who looks both ways before crossing a one-way street. Free hosting

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    You shouldn't be using the mysql_ interface any more at all - it is about to be removed from PHP as it was deprecated quite a while ago.

    You should be using either the mysqli_ interface or PDO instead.

    Both of these alternatives support the use of separate prepare and bind statements (instead of query) to keep the SQL and the data completely separate. With them separate you can then use $_GET in the bind call to allow your visitors to fill the database with millions of terabytes of junk without any risk of SQL injection.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •