Jump to content

[SOLVED] Passing variable and building an sql ejection or put the variable?

co.ador

By co.ador
in PHP Coding Help

Recommended Posts

co.ador Advanced Member

co.ador

Posted
Posted

The variables below are passed into itemdetails2.php

 

<a href=\"itemdetails2.php?id=". $content['id'] ."&platename=".$content['platename']."\">

 

 

In itemdetails2.php I pull the variables from the url making available through out the whole script in itemdetails2.php by:

 

<?php 
$shoename =  $_GET['platename'];

$id = (int)$_GET['id'];

if( $id === 0)
{
    exit('ID can only be an integer');
}
?>

 

After I make it available through out the whole script in itemdetails2.php I want to build a sql injection that takes the value of the variable $shoename and put it inside the OutputRating method parameter below

 

 

<?php
      $ratingData = Rating::OutputRating('paul');
      
      if (Error::HasErrors())
      {
        echo Error::ShowErrorMessages();
        Error::ClearErrors();
      }
      else
      {
        echo $ratingData;
      }
    ?>

 

Notice in the parameter it says paul instead of paul I want it to contain the shoename variable value in the url.

 

 

 

[code=php:0]<?php 
$shoename =  $_GET['platename'];

$id = (int)$_GET['id'];

if( $id === 0)
{
    exit('ID can only be an integer');
}
?>

<?php
      $ratingData = Rating::OutputRating('$shoename');
      
      if (Error::HasErrors())
      {
        echo Error::ShowErrorMessages();
        Error::ClearErrors();
      }
      else
      {
        echo $ratingData;
      }
    ?>

 

 

is that correct to put $shoename variable in there just like I did in the last embed script?

MadTechie Regular Member

MadTechie

Posted
Posted

very close but single quotes don't parse variables

$ratingData = Rating::OutputRating('$shoename');

should be

$ratingData = Rating::OutputRating($shoename);

 

you could also do 

$ratingData = Rating::OutputRating("$shoename");

 

but it hardly seams worth it ;)

 

co.ador Advanced Member

co.ador

Posted
  • Author
Posted

Cool so in order to insert an variable value inside of a method parameter it can be done in two ways with double quotes and without quotes at all.

 

Preferable without quotes at all.

 

Problem solved I will get you later on how it worked out behind the long code of the method OutputRating. The shoename goes a long road after passing its value through the parameter to OutputRating method.

 

$ratingData = Rating::OutputRating($shoename);

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.