09-14-2008, 12:12 PM
|
|
|
GFY's Halfpint
Industry Role:
Join Date: Jun 2007
Location: UK
Posts: 15,223
|
Quote:
Originally Posted by Janh
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='$_REQUEST[user]'";
This is bad.. everyone can hack your database with query injection.
Solve this with one off the folowing examples.
1: (If uid is numeric)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".(int)$_REQUEST[user];
2: (if uid is an text/varchar)
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid='".mysql_real_escape_string($_REQUEST[user]).'";
Its always better to do this via an public checkfunction as below
$query4 = "SELECT gid,gname FROM favoritegames WHERE uid=".dbcheck($_REQUEST[user]);
function dbcheck($dbValue,$dbType="s"){
$dbTemp = $dbValue;
$dbTemp = str_Replace("'","''",$dbTemp);
$dbTemp = stripslashes($dbTemp);
$dbTemp = str_Replace("\\","\\\\",$dbTemp);
switch(strtolower($dbType)){
case "i":
// Numbers
if (is_Numeric($dbTemp)){
$check = $dbTemp;
} else {
$check = "0";
}
break;
case "b":
// Boolean
if ( $dbTemp>0 ){
$check = 1;
} else {
$check = 0;
}
break;
default:
// String
//if (strlen($dbTemp)>0) {
$check = "'" . $dbTemp . "'";
//} else {
//$check = "Null";
//}
break;
}
return $check;
}
|
Thanks for that I will change it right now |
|
|