possible to "id=123" -> "id='all'"?

[Gath]

Just a quick question.

Possible for an outside user to make the code assume "all" for a url var, like for example: "show_topic.php?id=12345", to make it "show" all ID's isntead of just a specific number?

 

Actually asking for a delete function for a forum, where 'outside' moderators could have a 'delete' option, but could be exploited somehow... Just trying to figure out all the options.

[Barand]

You could use

 

$id = intval($_GET['id']);

 

Then any non-numeric entries become zero

[Psycho]

In any even your code should ALWAYS validate any input by the user this includes values passed on the query string as well as through form input.

 

'all' would have no meaning unless you specifically coded it to have meaning. However, if you aren't carefull a user could use sql injection to delete all records.

 

For example, if you were using th following query

DELETE FROM table WHERE id = '$id'

 

A malicious user could try and pass an id value of 1' OR 1 = '1

 

The resulting query would look like this

DELETE FROM table WHERE id = '1' OR 1 = '1'

 

And the second half of that OR would cause all records to be deleted. The solution Barand would be perfect for this situation, but I am just elaborating to emphasize that all user input needs to be validated.

[Barand]

Well said.