srihari Posted December 7, 2007 Share Posted December 7, 2007 A source of potential problems is considered a dynamic web application is the "polution" of input with bad, if not downright malicious data. /* assumed $name is user data culled from a POSTed HTML form... */ $query = "SELECT * FROM members WHERE firstname = '" . $name ."';" $result = mysql_query($query); Can any one help me out?? How will i catch malformed (malicious?) POST/GET data in $name can any one suggest me the how to proceede with code can i have sample codes??? Link to comment https://forums.phpfreaks.com/topic/80652-catching-malicious-data/ Share on other sites More sharing options...
revraz Posted December 7, 2007 Share Posted December 7, 2007 Do this before your query $name = mysql_real_escape_string ($name); Link to comment https://forums.phpfreaks.com/topic/80652-catching-malicious-data/#findComment-409014 Share on other sites More sharing options...
srihari Posted December 7, 2007 Author Share Posted December 7, 2007 $name = mysql_real_escape_string('name) $query = "SELECT * FROM members WHERE firstname = '" . $name ."';" $result = mysql_query($query); whether this works out fine??? or please check the below code also?? <?php if (isset($_POST['first_name'])) { // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password'); if(!is_resource($link)) { echo "Failed to connect to the server\n"; // ... log the error properly } else { // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON. if(get_magic_quotes_gpc()) { $last_name = stripslashes($_POST['last_name']); } else { $last_name = $_POST['last_name']; } // Make a safe query $query = sprintf("SELECT * FROM `customers` WHERE `last_name` = '%s'", mysql_real_escape_string($last_name, $link); mysql_query($query, $link); if (mysql_affected_rows($link) > 0) { echo "Product inserted\n"; } } } else { echo "Fill the form properly\n"; } ?> Link to comment https://forums.phpfreaks.com/topic/80652-catching-malicious-data/#findComment-409027 Share on other sites More sharing options...
srihari Posted December 7, 2007 Author Share Posted December 7, 2007 can any body check the in which one of my above code best solves my specifications?? Link to comment https://forums.phpfreaks.com/topic/80652-catching-malicious-data/#findComment-409037 Share on other sites More sharing options...
boushley Posted December 7, 2007 Share Posted December 7, 2007 They both look like they'll do the job... its just what you want to be done. The first one is much shorter and probably more effective... since its made to escape mysql specific things. Instead of just throwing slashes all over. Link to comment https://forums.phpfreaks.com/topic/80652-catching-malicious-data/#findComment-409099 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.