List:General Discussion« Previous MessageNext Message »
From:SGreen Date:September 14 2004 1:31pm
Subject:Re: HelpPlease: Conditional loop confusion
View as plain text  
I agree and I am sorry I forgot a very basic security practice. You must 
always check any input from a user.  Make sure that the user gives you a 
valid number and reject the request if it is anything out of your 
acceptable range or datatype. Otherwise a "bad" user could compromise your 
database or worse create havoc on your server. 

hf0722x,  what I was trying to help correct was a basic misunderstanding 
of how to create dynamic SQL statements with PHP. Stuart is struggling to 
understand 3 environments at once (MySQL, PHP, and Dreamweaver) and I 
wasn't even thinking about input validation. 

Thanks for the catch.

Shawn Green
Database Administrator
Unimin Corporation - Spruce Pine

news <news@stripped> wrote on 09/14/2004 05:08:00 AM:

> In article <OFE319C366.FA3FA287-ON85256F0E.006E3CA7-85256F0E.
> 006F04C1@stripped>,
> SGreen@stripped writes:
> 
> > Don't do an "@usrDays",  just stick the number in there so that the 
> > statement you create looks exactly like the one you tested with.
> 
> > If you get a "number" from a user from a form, just put that value 
into 
> > the string. For instance if the user enters 43 into a field on the 
first 
> > page, put 43 into the query. 
> 
> > Let's imagine that you get the value 43 into a variable (off of the 
> > request) called $daterange...
> > and let's imagine that you build your query into a variable called 
$query
> 
> > I think this is how you would build the correct query (my PHP is 
rusty):
> 
> > $query = "SELECT DateEntry from Entry_table WHERE DateEntry >= 
> > DATE_SUB(CURDATE(), INTERVAL ". $daterange." day)";
> 
> > See? Pretend you are a typist and BUILD the string as you want it 
> > executed. Then do it.
> 
> I think this is bad advice, even for a novice like Stuart, because it
> is susceptible to SQL injection attacks.  I don't know if PHP has
> prepared statements like Perl DBI; if not, $daterange should either be
> quoted or checked in PHP if it's really a number.
> 
> 
> -- 
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>
Thread
HelpPlease: Conditional loop confusionStuart Felenstein13 Sep
  • Re: HelpPlease: Conditional loop confusionSGreen13 Sep
    • Re: HelpPlease: Conditional loop confusionStuart Felenstein13 Sep
      • Re: HelpPlease: Conditional loop confusionSGreen13 Sep
        • Re: HelpPlease: Conditional loop confusionStuart Felenstein13 Sep
          • Error 2013Emmett Bishop13 Sep
            • RE: Error 2013Dathan Vance Pattishall13 Sep
          • Re: HelpPlease: Conditional loop confusionSGreen13 Sep
            • Re: HelpPlease: Conditional loop confusionStuart Felenstein13 Sep
              • Re: HelpPlease: Conditional loop confusionSGreen13 Sep
                • Re: HelpPlease: Conditional loop confusionStuart Felenstein14 Sep
              • Re: HelpPlease: Conditional loop confusionHarald Fuchs14 Sep
                • Re: HelpPlease: Conditional loop confusionStuart Felenstein14 Sep
                  • HelpPlease:Urgentbiswa\(global\)14 Sep
                • Re: HelpPlease: Conditional loop confusionHarald Fuchs14 Sep
                • Re: HelpPlease: Conditional loop confusionSGreen14 Sep
                • Re: HelpPlease: Conditional loop confusionHarald Fuchs14 Sep
                  • Connections and PoolingJeff Demel14 Sep
                    • Re: Connections and PoolingSGreen14 Sep
                  • Re: HelpPlease: Conditional loop confusionStuart Felenstein14 Sep