GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Janh · 09-14-2008, 11:24 AM

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";

This is bad.. everyone can hack your database with query injection.

Solve this with one off the folowing examples.

1: (If uid is numeric)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user];

2: (if uid is an text/varchar)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'";

Its always better to do this via an public checkfunction as below

$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]);

function dbcheck($dbValue,$dbType="s"){
$dbTemp = $dbValue;
$dbTemp = str_Replace("'","''",$dbTemp);

$dbTemp = stripslashes($dbTemp);
$dbTemp = str_Replace("\\","\\\\",$dbTemp);
switch(strtolower($dbType)){
case "i":
// Numbers
if (is_Numeric($dbTemp)){
$check = $dbTemp;
} else {
$check = "0";
}
break;
case "b":
// Boolean
if ( $dbTemp>0 ){
$check = 1;
} else {
$check = 0;
}
break;
default:
// String
//if (strlen($dbTemp)>0) {
$check = "'" . $dbTemp . "'";
//} else {
//$check = "Null";
//}
break;
}
return $check;
}

09-14-2008, 11:24 AM
Janh Confirmed User Join Date: Sep 2006 Location: NL Posts: 332	$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'"; This is bad.. everyone can hack your database with query injection. Solve this with one off the folowing examples. 1: (If uid is numeric) $query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user]; 2: (if uid is an text/varchar) $query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'"; Its always better to do this via an public checkfunction as below $query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]); function dbcheck($dbValue,$dbType="s"){ $dbTemp = $dbValue; $dbTemp = str_Replace("'","''",$dbTemp); $dbTemp = stripslashes($dbTemp); $dbTemp = str_Replace("\\","\\\\",$dbTemp); switch(strtolower($dbType)){ case "i": // Numbers if (is_Numeric($dbTemp)){ $check = $dbTemp; } else { $check = "0"; } break; case "b": // Boolean if ( $dbTemp>0 ){ $check = 1; } else { $check = 0; } break; default: // String //if (strlen($dbTemp)>0) { $check = "'" . $dbTemp . "'"; //} else { //$check = "Null"; //} break; } return $check; } __________________ Contact me for buy/sell traffic or visit www.ero-advertising.com Advertise with Text ads, Thumb ads, Banners, Video ads, Layer ads or AdSpaces (fixed spots at fixed prices). All traffic is GEO-IP & country filtered (and anti-fraud checked). Last edited by Janh; 09-14-2008 at 11:28 AM.. Reason: Update