Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

Re[4]: FN-FORUM PHP Autogenerated SQL statement help

date posted 5th June 2002 22:05

Im not quite sure that it is a security risk for the average
programmer - it makes hacking up quick scripts easy, and for larger
and more complex scripts, you just have to take this into
consideration - in most cases you just have to check that some hacker
isnt trying to fiddle with values that should come from a cookie or a
session, and initialise any values you worry about being changed via
the URL.

For the type of script mentioned, it isnt even a vague consideration -
and yes, most servers i've worked with do have it turned on, or at
least allow it to be turned on via .htaccess - they all have safe mode
turned on, so even if a badly programmed script does start raising
hell, it cant do damage outside the script directory or access
anything important.

-- Richard
http://www.rwatt.co.uk

Wednesday, June 05, 2002, 8:06:31 PM, you wrote:
---------------------------------------
DE> hopefully not too many - its been a security issue (or feature if you
DE> subscribe to the M$ ethos) known for some time.

DE> it means people can stick on querystrings to the url to emulate form
DE> submission or to remotely set any variable that maybe a norm amongst PHP
DE> programmers... this is a Bad Thing
DE> ----- Original Message -----
DE> From: "Richard Watt" [EMAIL REMOVED]
DE> To: "Andrew Mottershead" [EMAIL REMOVED]
DE> Sent: Wednesday, June 05, 2002 6:17 PM
DE> Subject: Re[2]: FN-FORUM PHP Autogenerated SQL statement help


DE> hmm, cut all the 'reqest' stuff - most PHP servers will make form
DE> variables globally available.

DE> The SQL stuff would be more like

DE> if ($a2 == 'A') then { $int_sql .= 'television = true and '; }

DE> easy to shove the syntax about for that (maybe use a switch statement
DE> for neatness?)

DE> The last section would be something like

DE> if ($acode == 0) then {
DE> $intval = strlen($int_sql);
DE> $intval = $intval - 4;
DE> $int_sql = substr($int_sql,$intval);
DE> } else {
DE> $int_sql .= "areacode = '$acode'";
DE> }

DE> I may have messed some of the precise syntax, but that should be
DE> roughly it.

DE> -- Richard
DE> http://www.rwatt.co.uk

DE> Wednesday, June 05, 2002, 6:01:05 PM, you wrote:
DE> ---------------------------------------
AM>> No it's not live at the moment?

AM>> regards

AM>> Andrew Mottershead
AM>> Web Developer
AM>> Mindstream Web Design

AM>> email: [EMAIL REMOVED]
AM>> tel: +44 (0)1743 718262
AM>> fax: +44 (0) 7092 115513
AM>> web: www.mindstream.co.uk

AM>> This e-mail, and any attachment, is confidential. If you have received
AM>> it in error, please delete it from your system, do not use or disclose
AM>> the information in any way, and notify me immediately.



>>> -----Original Message-----
>>> From: [EMAIL REMOVED]
>>> [EMAIL REMOVED] On Behalf Of Darren Spink
>>> Sent: 05 June 2002 17:13
>>> To: [EMAIL REMOVED]
>>> Subject: RE: FN-FORUM PHP Autogenerated SQL statement help
>>>
>>>
>>> I haven't got my code reading head on Andrew....have you got
>>> that page on a site so I could see it working and then give comment ??
>>>
>>> Regards
>>>
>>>
>>> Darren Spink
>>>
>>> TEL: +44(0)113 253 4750
>>> FAX: +44(0)113 253 1686
>>> EML: [EMAIL REMOVED]
>>> ICQ: 56667649
>>>
>>> -----Original Message-----
>>> From: [EMAIL REMOVED]
>>> [EMAIL REMOVED] Behalf Of Andrew
>>> Mottershead
>>> Sent: 05 June 2002 16:59
>>> To: [EMAIL REMOVED]
>>> Subject: FN-FORUM PHP Autogenerated SQL statement help
>>>
>>>
>>> Hello there folks - I've finally taken the plunge and decided
>>> to put together a PHP site. I need a little help though...
>>> This is the code I would use in ASP
>>>
>>>
>>> >> a1 = request.Form("Fac_A")
>>> a2 = request.Form("Fac_B")
>>> a3 = request.Form("Fac_C")
>>> a4 = request.Form("Fac_D")
>>> a5 = request.Form("Fac_E")
>>> a6 = request.Form("Fac_F")
>>> a7 = request.Form("Fac_G")
>>> a8 = request.Form("Fac_H")
>>> a9 = request.Form("Fac_I")
>>> a10 = request.Form("Fac_J")
>>>
>>> a11 = request.Form("Fac_1A")
>>> a12 = request.Form("Fac_1B")
>>> a13 = request.Form("Fac_1C")
>>> a14 = request.Form("Fac_1D")
>>> a15 = request.Form("Fac_1E")
>>> a16 = request.Form("Fac_1F")
>>> a17 = request.Form("Fac_1G")
>>> a18 = request.Form("Fac_1H")
>>> a19 = request.Form("Fac_1I")
>>> a20 = request.Form("Fac_1J")
>>> a21 = request.Form("Fac_1K")
>>> a22 = request.Form("Fac_1L")
>>> a23 = request.Form("Fac_1M")
>>> a24 = request.Form("Fac_1N")
>>>
>>> a25 = request.Form("Fac_2A")
>>> a26 = request.Form("Fac_2B")
>>> a27 = request.Form("Fac_2C")
>>> a28 = request.Form("Fac_2D")
>>> a29 = request.Form("Fac_2E")
>>> a30 = request.Form("Fac_2F")
>>> a31 = request.Form("Fac_2G")
>>> a32 = request.Form("Fac_2H")
>>> a33 = request.Form("Fac_2I")
>>> a34 = request.Form("Fac_2J")
>>> a35 = request.Form("Fac_2K")
>>>
>>> a36 = request.Form("Fac_3A")
>>> a37 = request.Form("Fac_3B")
>>> a38 = request.Form("Fac_3C")
>>> a39 = request.Form("Fac_3D")
>>> a40 = request.Form("Fac_3E")
>>> a41 = request.Form("Fac_3F")
>>> a42 = request.Form("Fac_3G")
>>> a43 = request.Form("Fac_3H")
>>> a44 = request.Form("Fac_3I")
>>> a45 = request.Form("Fac_3J")
>>> a46 = request.Form("Fac_3K")
>>> a47 = request.Form("Fac_3L")
>>> a48 = request.Form("Fac_3M")
>>> a49 = request.Form("Fac_3N")
>>>
>>> int_sql = "select * from q4travfind where "
>>> if a1 = "A" then int_sql = int_sql & "teacoffee = true and "
>>> if a2 = "A" then int_sql = int_sql & "television = true and "
>>> if a4 = "A" then int_sql = int_sql & "satellitecable = true
>>> and " if a5 = "A" then int_sql = int_sql & "roomservice =
>>> true and " if a6 = "A" then int_sql = int_sql & "minibar =
>>> true and " if a7 = "A" then int_sql = int_sql & "trouserpress
>>> = true and " if a8 = "A" then int_sql = int_sql & "hairdryer
>>> = true and " if a9 = "A" then int_sql = int_sql & "telephone
>>> = true and " if a10 = "A" then int_sql = int_sql &
>>> "roominternet = true and " if a11 = "A" then int_sql =
>>> int_sql & "restaurant = true and " if a12 = "A" then int_sql
>>> = int_sql & "loungebar = true and " if a13 = "A" then int_sql
>>> = int_sql & "specialdiets = true and " if a14 = "A" then
>>> int_sql = int_sql & "nightporter = true and " if a15 = "A"
>>> then int_sql = int_sql & "lift = true and " if a17 = "A" then
>>> int_sql = int_sql & "babysitting = true and " if a18 = "A"
>>> then int_sql = int_sql & "groundfloorbeds = true and " if a20
>>> = "A" then int_sql = int_sql & "cotsavail = true and " if a22
>>> = "A" then int_sql = int_sql & "nosmokarea = true and " if
>>> a23 = "A" then int_sql = int_sql & "conference = true and "
>>> if a24 = "A" then int_sql = int_sql & "disabledno = true and
>>> " if a25 = "A" then int_sql = int_sql & "swimindoor = true
>>> and " if a26 = "A" then int_sql = int_sql & "sauna = true and
>>> " if a27 = "A" then int_sql = int_sql & "jacuzzi = true and "
>>> if a28 = "A" then int_sql = int_sql & "solarium = true and "
>>> if a29 = "A" then int_sql = int_sql & "gym = true and " if
>>> a31 = "A" then int_sql = int_sql & "lawngarden = true and "
>>> if a32 = "A" then int_sql = int_sql & "eveningentertain =
>>> true and " if a35 = "A" then int_sql = int_sql & "beautysalon
>>> = true and " if a36 = "A" then int_sql = int_sql &
>>> "abirdwatching = true and " if a39 = "A" then int_sql =
>>> int_sql & "agolf = true and " if a40 = "A" then int_sql =
>>> int_sql & "afish = true and " if a41 = "A" then int_sql =
>>> int_sql & "walkingtrails = true and " if a43 = "A" then
>>> int_sql = int_sql & "ashooting = true and " if a44 = "A" then
>>> int_sql = int_sql & "skisnow = true and " if a45 = "A" then
>>> int_sql = int_sql & "acastlestours = true and " if a46 = "A"
>>> then int_sql = int_sql & "agalleries = true and " if a47 =
>>> "A" then int_sql = int_sql & "acinemas = true and " if a48 =
>>> "A" then int_sql = int_sql & "awhiskytours = true and " if
>>> a49 = "A" then int_sql = int_sql & "alocalcrafts = true and "
>>>
>>>
>>> if acode = "0" then
>>> intval = len(int_sql)
>>> intval = intval - 4
>>> int_sql = left(int_sql,intval)
>>> else
>>> int_sql = int_sql & "areacode = '" & acode &"'"
>>> end if
>>> %>
>>>
>>>
>>> How would I go abou this in PHP? Thanks in advance!
>>>
>>> regards
>>>
>>> Andrew Mottershead
>>> Web Developer
>>> Mindstream Web Design
>>>
>>> email: [EMAIL REMOVED]
>>> tel: +44 (0)1743 718262
>>> fax: +44 (0) 7092 115513
>>> web: www.mindstream.co.uk
>>>
>>> This e-mail, and any attachment, is confidential. If you have
>>> received it in error, please delete it from your system, do
>>> not use or disclose the information in any way, and notify me
>>> immediately.
>>>
>>>
>>> ---
>>> Outgoing mail is certified Virus Free.
>>> Checked by AVG anti-virus system (http://www.grisoft.com).
>>> Version: 6.0.363 / Virus Database: 201 - Release Date: 21/05/2002
>>>
>>>
>>>
>>>
>>> =============================================================
>>> = Navicode: The new Internet Keyword! =
>>> = Replace complex URLs with user friendly words and phrases =
>>> = Pre-Register now at http://www.navicode.com =
>>> =============================================================
>>>
>>> Sponsor the forum for as little as £1 at:
>>>
AM>> http://www.freelancers.net/cgi/sponsor.cgi?action=show


AM>> Freelancers and Freelance Jobs:
AM>> http://www.freelancers.net

AM>> Forum FAQs:
AM>> http://freelancers.netrickery.com

AM>> To unsubscribe please email:
AM>> [EMAIL REMOVED]

AM>> If you have difficulties unsubscribing please email:
AM>> [EMAIL REMOVED]



AM>> =============================================================
AM>> = Navicode: The new Internet Keyword! =
AM>> = Replace complex URLs with user friendly words and phrases =
AM>> = Pre-Register now at http://www.navicode.com =
AM>> =============================================================

AM>> Sponsor the forum for as little as £1 at:

AM>> http://www.freelancers.net/cgi/sponsor.cgi?action=show


AM>> Freelancers and Freelance Jobs:
AM>> http://www.freelancers.net

AM>> Forum FAQs:
AM>> http://freelancers.netrickery.com

AM>> To unsubscribe please email:
AM>> [EMAIL REMOVED]

AM>> If you have difficulties unsubscribing please email:
AM>> [EMAIL REMOVED]


AM>> ---
AM>> Outgoing mail is certified Virus Free.
AM>> Checked by AVG anti-virus system (http://www.grisoft.com).
AM>> Version: 6.0.363 / Virus Database: 201 - Release Date: 21/05/2002




AM>> =============================================================
AM>> = Navicode: The new Internet Keyword! =
AM>> = Replace complex URLs with user friendly words and phrases =
AM>> = Pre-Register now at http://www.navicode.com =
AM>> =============================================================

AM>> Sponsor the forum for as little as £1 at:

AM>> http://www.freelancers.net/cgi/sponsor.cgi?action=show


AM>> Freelancers and Freelance Jobs:
AM>> http://www.freelancers.net

AM>> Forum FAQs:
AM>> http://freelancers.netrickery.com

AM>> To unsubscribe please email:
AM>> [EMAIL REMOVED]

AM>> If you have difficulties unsubscribing please email:
AM>> [EMAIL REMOVED]


DE> =============================================================
DE> = Navicode: The new Internet Keyword! =
DE> = Replace complex URLs with user friendly words and phrases =
DE> = Pre-Register now at http://www.navicode.com =
DE> =============================================================

DE> Sponsor the forum for as little as £1 at:

DE> http://www.freelancers.net/cgi/sponsor.cgi?action=show


DE> Freelancers and Freelance Jobs:
DE> http://www.freelancers.net

DE> Forum FAQs:
DE> http://freelancers.netrickery.com

DE> To unsubscribe please email:
DE> [EMAIL REMOVED]

DE> If you have difficulties unsubscribing please email:
DE> [EMAIL REMOVED]


DE> =============================================================
DE> = Navicode: The new Internet Keyword! =
DE> = Replace complex URLs with user friendly words and phrases =
DE> = Pre-Register now at http://www.navicode.com =
DE> =============================================================

DE> Sponsor the forum for as little as £1 at:

DE> http://www.freelancers.net/cgi/sponsor.cgi?action=show


DE> Freelancers and Freelance Jobs:
DE> http://www.freelancers.net

DE> Forum FAQs:
DE> http://freelancers.netrickery.com

DE> To unsubscribe please email:
DE> [EMAIL REMOVED]

DE> If you have difficulties unsubscribing please email:
DE> [EMAIL REMOVED]

Messages by Day
June 30th 2002
June 29th 2002
June 28th 2002
June 27th 2002
June 26th 2002
June 25th 2002
June 24th 2002
June 23rd 2002
June 22nd 2002
June 21st 2002
June 20th 2002
June 19th 2002
June 18th 2002
June 17th 2002
June 16th 2002
June 15th 2002
June 14th 2002
June 13th 2002
June 12th 2002
June 11th 2002
June 10th 2002
June 9th 2002
June 8th 2002
June 7th 2002
June 6th 2002
June 5th 2002
June 4th 2002
June 3rd 2002
June 2nd 2002
June 1st 2002


Messages by Month
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
February 2002
January 2002


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000