dropfaith Posted October 19, 2008 Share Posted October 19, 2008 Im trying to make this as secure as possible this is used anytime i pull data from the db <?php if (!isset($_GET['needoffer'])) { header('Location: /rideshare/'); } ?> <?php // includes include("../template/conf.php"); // open database connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select database mysql_select_db($db) or die ("Unable to select database!"); // generate and execute query if(!is_array($_GET['needoffer'])) { $needoffer = mysql_escape_string(trim($_GET['needoffer'])); $query = "SELECT * FROM rideshare WHERE needoffer = '$needoffer'"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); } else { //special circumstance $query = "SELECT * FROM rideshare"; $result = mysql_query($query) or die("Error in query: $query. " . mysql_error()); } // if records present if (mysql_num_rows($result) > 0) { // iterate through resultset // print article titles while($row = mysql_fetch_object($result)) { ?> and anything upon insert runs thru this $Contact = mysql_real_escape_string(trim(stripslashes($_POST['Contact']))); just trying to find out the best practise to secure things cause everytime i ask someone to test the security they find a hole somehow Link to comment https://forums.phpfreaks.com/topic/129051-is-this-secure/ Share on other sites More sharing options...
Bendude14 Posted October 19, 2008 Share Posted October 19, 2008 You know what information this is going to hold correct? $needoffer = mysql_escape_string(trim($_GET['needoffer'])); so you could add validation to make sure its only letters and numbers. Or only numbers etc. Link to comment https://forums.phpfreaks.com/topic/129051-is-this-secure/#findComment-669026 Share on other sites More sharing options...
dropfaith Posted October 19, 2008 Author Share Posted October 19, 2008 yea i know what that one will include but some i have no idea as some pull article titles that are user submitted http://lawrenceguide.org/ is the site for some odd reason i cant get sql inject me loading on my firefox im working on doing more tests now Link to comment https://forums.phpfreaks.com/topic/129051-is-this-secure/#findComment-669036 Share on other sites More sharing options...
Bendude14 Posted October 19, 2008 Share Posted October 19, 2008 well how about validating the titles when there submitted not allowing anything but numbers and letters? Then Validate again to make sure no one has changed them in the URL as you are retrieving them using GET Link to comment https://forums.phpfreaks.com/topic/129051-is-this-secure/#findComment-669044 Share on other sites More sharing options...
dropfaith Posted October 19, 2008 Author Share Posted October 19, 2008 better option then get? is all dynamic so get was the only thing i thought would work well.. links end up like this http://lawrenceguide.org/literature/bygenre.php?Genre=Adventure http://lawrenceguide.org/artist/profile.php?Name=test im fine with updating everything to a more secure format would take awhile but its worth it to secure this Link to comment https://forums.phpfreaks.com/topic/129051-is-this-secure/#findComment-669048 Share on other sites More sharing options...
Bendude14 Posted October 19, 2008 Share Posted October 19, 2008 i think get is fine... was just mentioning that you need to be validating the GET string on every page to make sure you are more secure. You could use regular expressions to validate for only characters numbers and quotation marks etc... Link to comment https://forums.phpfreaks.com/topic/129051-is-this-secure/#findComment-669057 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.