Slashdot Mirror

← Back to Users

User: the_european

the_european's activity in the archive.

Stories
0
Comments
3
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 3

  1. Re:Risk of SQL injection on How to Do Everything with PHP and MySQL · · Score: 1

    Paul Dubois' last edition of MySQL covers, among other interesting topics, using Pear::DB with placeholders.

  2. Risk of SQL injection on How to Do Everything with PHP and MySQL · · Score: 5, Insightful

    Look at the examples given in the companion web site. There is code like the following, which is highly vulnerable to SQL injection attacks:

    $title = $_POST['title'];
    $content = $_POST['content'];
    $contact = $_POST['contact'];

    // validate text input fields
    if (trim($_POST['title']) == '')
    {
    $errorList[] = 'Invalid entry: Title';
    }

    Validate? Just by removing trailing spaces? People trusting this book's advice will be very sorry soon.

    // and later in the script ...

    $query = "INSERT INTO news(title, content, contact, timestamp) VALUES('$title', '$content', '$contact', NOW())";
    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());

    One more example:

    // generate and execute query
    $id = $_GET['id'];
    $query = "SELECT title, content, contact FROM news WHERE id = '$id'";
    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());

    No validation at all! User input thrown into the database without any check!

    It's unbelievable that in 2005, after all the outrage and cry about SQL injection ther is still a new book proposing such horrible code!

  3. Re:It's illegal to knowingly download classified d on Copy-and-Paste Reveals Classified U.S. Documents · · Score: 3, Insightful

    Classified?

    Have you read it?

    The original document says "UNCLASSIFIED" just on top of every page.