ballhogjoni Posted November 7, 2007 Share Posted November 7, 2007 Is there anything wrong with this syntax? "SELECT * FROM subscribers WHERE (ResponderID = '$Responder_ID' OR ResponderID = '0') AND EmailAddress = '$Email_Address'"; Quote Link to comment Share on other sites More sharing options...
obsidian Posted November 7, 2007 Share Posted November 7, 2007 Doesn't look like it. Are you having errors when you run it? Quote Link to comment Share on other sites More sharing options...
ballhogjoni Posted November 7, 2007 Author Share Posted November 7, 2007 No, I just wanted to make sure before I do run it because I will make the change on a live site. Quote Link to comment Share on other sites More sharing options...
obsidian Posted November 7, 2007 Share Posted November 7, 2007 No, I just wanted to make sure before I do run it because I will make the change on a live site. Just make sure you are sanitizing the variable input, and you should be fine. As it is, though, unless you're cleaning those variables, you'll be open to SQL injection. Quote Link to comment Share on other sites More sharing options...
ballhogjoni Posted November 7, 2007 Author Share Posted November 7, 2007 Can you explain that a little more in depth, when you say "sanitizing" & "cleaning"? Quote Link to comment Share on other sites More sharing options...
obsidian Posted November 7, 2007 Share Posted November 7, 2007 Can you explain that a little more in depth, when you say "sanitizing" & "cleaning"? There are some threads here in the forums that can probably explain more in-depth than I have time for right now, but let's use the following example to show you what I mean: Here is your current query: SELECT * FROM subscribers WHERE (ResponderID = '$Responder_ID' OR ResponderID = '0') AND EmailAddress = '$Email_Address' You are obviously expecting to have a numeric entry for ResponderID, but if I were to try to do a SQL injection, I could provide you with the following string for my $Responder_ID variable: 0' OR 1=1); -- Now, if you're familiar with SQL syntax, you recognize the "--" as a comment, so your query all of a sudden looks like this: SELECT * FROM subscribers WHERE (ResponderID = '0' OR 1=1) -- ' OR ResponderID = '0') AND EmailAddress = '$Email_Address' Notice that I've commented out the remainder of your query, so what is executed is actually everything up to the comment, effectively returning me the first user record in the database, which is often the admin account. This is a very common SQL injection technique, and it can be avoided quite easily by simply sanitizing you input by escaping all characters that shouldn't be there. You can either white list your acceptable values for your variables, or if it's a string entry, you can just use mysql_real_escape_string() to escape the quote I entered or any other dangerous characters: <?php $Responder_ID = mysql_real_escape_string($Responder_ID); $Email_Address = mysql_real_escape_string($Email_Address); mysql_query("SELECT * FROM subscribers WHERE (ResponderID = '$Responder_ID' OR ResponderID = '0') AND EmailAddress = '$Email_Address'"); ?> Hope this helps in getting you on the right track to a safer site! Quote Link to comment Share on other sites More sharing options...
fenway Posted November 7, 2007 Share Posted November 7, 2007 No, I just wanted to make sure before I do run it because I will make the change on a live site. FYI, if you add a LIMIT 0, nothing will happen, but mysql will still parse your statement... an easy way to check for errors. Quote Link to comment Share on other sites More sharing options...
ballhogjoni Posted November 7, 2007 Author Share Posted November 7, 2007 Thanks guys!!! That info really helped out. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.