co.ador Posted July 21, 2009 Share Posted July 21, 2009 The variables below are passed into itemdetails2.php <a href=\"itemdetails2.php?id=". $content['id'] ."&platename=".$content['platename']."\"> In itemdetails2.php I pull the variables from the url making available through out the whole script in itemdetails2.php by: <?php $shoename = $_GET['platename']; $id = (int)$_GET['id']; if( $id === 0) { exit('ID can only be an integer'); } ?> After I make it available through out the whole script in itemdetails2.php I want to build a sql injection that takes the value of the variable $shoename and put it inside the OutputRating method parameter below <?php $ratingData = Rating::OutputRating('paul'); if (Error::HasErrors()) { echo Error::ShowErrorMessages(); Error::ClearErrors(); } else { echo $ratingData; } ?> Notice in the parameter it says paul instead of paul I want it to contain the shoename variable value in the url. [code=php:0]<?php $shoename = $_GET['platename']; $id = (int)$_GET['id']; if( $id === 0) { exit('ID can only be an integer'); } ?> <?php $ratingData = Rating::OutputRating('$shoename'); if (Error::HasErrors()) { echo Error::ShowErrorMessages(); Error::ClearErrors(); } else { echo $ratingData; } ?> is that correct to put $shoename variable in there just like I did in the last embed script? Quote Link to comment https://forums.phpfreaks.com/topic/166730-solved-passing-variable-and-building-an-sql-ejection-or-put-the-variable/ Share on other sites More sharing options...
MadTechie Posted July 21, 2009 Share Posted July 21, 2009 very close but single quotes don't parse variables $ratingData = Rating::OutputRating('$shoename'); should be $ratingData = Rating::OutputRating($shoename); you could also do $ratingData = Rating::OutputRating("$shoename"); but it hardly seams worth it Quote Link to comment https://forums.phpfreaks.com/topic/166730-solved-passing-variable-and-building-an-sql-ejection-or-put-the-variable/#findComment-879182 Share on other sites More sharing options...
co.ador Posted July 21, 2009 Author Share Posted July 21, 2009 Cool so in order to insert an variable value inside of a method parameter it can be done in two ways with double quotes and without quotes at all. Preferable without quotes at all. Problem solved I will get you later on how it worked out behind the long code of the method OutputRating. The shoename goes a long road after passing its value through the parameter to OutputRating method. $ratingData = Rating::OutputRating($shoename); Quote Link to comment https://forums.phpfreaks.com/topic/166730-solved-passing-variable-and-building-an-sql-ejection-or-put-the-variable/#findComment-879184 Share on other sites More sharing options...
MadTechie Posted July 21, 2009 Share Posted July 21, 2009 You could even do this, $ratingData = Rating::OutputRating($_GET['platename']); but I tend not to, Quote Link to comment https://forums.phpfreaks.com/topic/166730-solved-passing-variable-and-building-an-sql-ejection-or-put-the-variable/#findComment-879188 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.