Jump to content

security

asmith

By asmith
in MySQL Help

 Share

Recommended Posts

asmith Advanced Member

asmith

Posted
Posted

hey guys

 

i will be working with paypal  ,and i will work on some script  which would pay the site users from the site paypal account .

 

users will be allowed to specify an amount with a limit of a number recorded in mysql . for example if a user have "5$ discount"  . he can transfer no more than 5 $ and ...

 

i was wondering what things should i be careful about ? i mean  in any chance a user could crack mysql (i don't know how except injections) , and update his "5" to "50" or "500" , then ...

 

any tips for what things i must be careful about ?  ( i have no file uploading on the site (except my forum has, which is in another database with another sql user) . and all the text inputs has been verified, so no one can use my html text inputs for injections)

 

P.s. any difference i between i use myisam tables or innodb ?

 

thanks

Link to comment
Share on other sites
laffin Newbie

laffin

Posted
Posted 

u have to secure / validate any external variables.

example
[code]<?php
$number=$_GET['number'];

echo "$number X 5 = ". $number*5;
mysql_query("UPDATE table SET number=$number WHERE id=1");
?>

this is very insecure, because we didnt validate $number.

in the echo statement a malicious user can insert some javascript, which cud lead to hacked accts.

than u have it going to a MySQL statement, without proper validation/sanitization, u risk yer whole db to be hacked.

<?php
function validate_number($number,$min=0,$max=100)
{
    $number=intval($number);
    if($number<$min) $number=$min;
    if($number>$max) $number=$max;
    return $number;
}
$number=validate_number($_GET['number'],1,10);

echo "$number X 5 = ". $number*5;
mysql_query("UPDATE table SET number=$number WHERE id=1");
?>

 

intval converts a value into an integer. what the script is expecting.

the min/max is a sample of validating our extternal variable and forcing it to conform to what we expect it to be.

 

There is a lot more to Injection attacks but this is just a simple example[/code]

Link to comment
Share on other sites
asmith Advanced Member

asmith

Posted
  • Author
Posted

thanks laffin for taking time and write those codes .

 

actually i have fully validating the GET variables and also those variables are not going to my sql . 

 

there's no java script using but for the page view , so almost no java script i have used.  and there's no text field that hasn't pass my fully validation.

 

i was just wondering , maybe some other tips were available , not about injections with variables . 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.