Voodoo Jai Posted August 9, 2008 Share Posted August 9, 2008 I have decided to change my select table query to a select view query. Unfortunately it now does not accept the GET variable passed from the URL. Here is the statement: <?php $Take_Takeaway = "1"; if (isset($_GET['TakeawayID'])) { $Take_Takeaway = (get_magic_quotes_gpc()) ? $_GET['TakeawayID'] : addslashes($_GET['TakeawayID']); } mysql_select_db($database_LostMyMenu_conn, $LostMyMenu_conn); $query_NewView = sprintf("SELECT NewView.TakeawayID, NewView.Takeaway_Name, NewView.Line1, NewView.Line2, NewView.Map_Link WHERE NewView.TakeawayID = %s AND NewView.List_type = list_type. List_TypeID AND NewView.City = city.CityID", $Take_Takeaway); ?> when this worked before changing I had to create a variable for the TakeawyID in the WHERE clause shown as "%s" and also "$Take_Takeaway". So why is it defaulting to the first ID of the table the view accesses. I know someone will point out the assignment of the value "1" at the beginning but this was how it worked before OK. If I comment it out it still defaults to "1". Many thanks VoodooJai (PS bet its a simple typo that I cant see for looking) Link to comment https://forums.phpfreaks.com/topic/118961-help-with-view-variables-not-being-seen/ Share on other sites More sharing options...
genericnumber1 Posted August 9, 2008 Share Posted August 9, 2008 Your script is susceptible to sql injection. See: ?TakeawayID=1 UNION ALL DROP TABLE yourTable -- Stick single quotes around %s, that should secure it (to some extent) and maybe fix it. I'd suggest using mysql_real_escape_string() over addslashes() though. Link to comment https://forums.phpfreaks.com/topic/118961-help-with-view-variables-not-being-seen/#findComment-612569 Share on other sites More sharing options...
Voodoo Jai Posted August 9, 2008 Author Share Posted August 9, 2008 Your script is susceptible to sql injection. See: ?TakeawayID=1 UNION ALL DROP TABLE yourTable -- Stick single quotes around %s, that should secure it (to some extent) and maybe fix it. I'd suggest using mysql_real_escape_string() over addslashes() though. No change still after your suggestions, how could I check that my script is secure, what should I be doing. Thanks VoodooJai Link to comment https://forums.phpfreaks.com/topic/118961-help-with-view-variables-not-being-seen/#findComment-612574 Share on other sites More sharing options...
genericnumber1 Posted August 9, 2008 Share Posted August 9, 2008 well it should be more or less secure as long as you don't allow user variables posted in outside of single quotes. I purposefully did wrong syntax earlier, I don't think that you can use UNION ALL for non-select queries so it shouldn't run (?). Putting it in for your GET wouldn't be a good test to see if you are secure... Link to comment https://forums.phpfreaks.com/topic/118961-help-with-view-variables-not-being-seen/#findComment-612576 Share on other sites More sharing options...
Voodoo Jai Posted August 9, 2008 Author Share Posted August 9, 2008 So is this ok or does it to need single quotes. $query_limit_Recordset1 = sprintf("%s LIMIT %d, %d", $query_Recordset1, $startRow_Recordset1, $maxRows_Recordset1); The problem still defaults to 1, so not cured it. Link to comment https://forums.phpfreaks.com/topic/118961-help-with-view-variables-not-being-seen/#findComment-612583 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.