Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Mar 2014
    Thanked 0 Times in 0 Posts

    Question Riks of using get method in MYSQL queries

    Hi, What are the risks of using:
    PHP Code:

    //'value' comes from link ; <a>href"

    //[B]Insted of [/B]           
    $query="SELECT*FROM value ";

    //'value'  comes from code 


  2. #2
    Master Coder
    Join Date
    Feb 2011
    Your Monitor
    Thanked 614 Times in 600 Posts

    You're allowing the user to input their own query. Whats to stop me adding " users; drop table accounts" ?

    Worse.. i could do this: " users; update users set password = 'password' where user_name = 'admin'

    Suddenly your admin account has its password reset and you've been hacked.

    Granted mysql no longer allows more than one query to be run however you still need to code correctly for good practice and in case you ever end up using an older mysql (or other database) engine.

    You should always use mysql_real_escape_string() for information supplied by the user which is to go into your SQL statement. You should really switch to mysqli too and avoid using mysql all together.
    Quote Originally Posted by deathshadow View Post
    So seriously, loosen up that tie, let out the belt, and try relating to normal people on the street instead of the gentleman's club crowd.

  3. #3
    New Coder
    Join Date
    Aug 2012
    Thanked 2 Times in 2 Posts
    As tangoforce already said you should always validate user input... you should not trust the user to do the right thing.

    Another builtin function I would recommend for user input validation (besides the already mentioned mysqli_real_escape_string) is PHP: preg_match - Manual
    A good programmer is someone who looks both ways before crossing a one-way street. $1 hosting

  4. #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Sydney, Australia
    Thanked 932 Times in 919 Posts
    You shouldn't be using the mysql_ interface any more at all - it is about to be removed from PHP as it was deprecated quite a while ago.

    You should be using either the mysqli_ interface or PDO instead.

    Both of these alternatives support the use of separate prepare and bind statements (instead of query) to keep the SQL and the data completely separate. With them separate you can then use $_GET in the bind call to allow your visitors to fill the database with millions of terabytes of junk without any risk of SQL injection.
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts