Is it possible to insert codes through url to control database?

[phpnoobie9]

If I have a get from that produced something like mysitedotcom/mypage.php?id=1

Is there a way of getting to my server through the url?

[drisate]

yes you can use vars from your url

 

Let say you have mysitedotcom/mypage.php?id=1

To get the var id you would use $_GET[id] PHP auto produces it when you open mypage.php so if you make

<?php echo $_GET[id]; ?>

at the bigining of your page you would have the value 1 printed on the page. You can also use that var in your sql statment SELECT * FROM table WHERE id='$_GET[id]' but of couse don't forget to clean the var to protect you self aganst hackers that could change the the value 1 to malicious codes and manipulate the querry.

[phpnoobie9]

What do you mean clean the variable? How do I do that? So if all I have is a SELECT statement they can change that into some kind of INSERT and insert codes into my database?

[nethnet]

Use addslashes() on all content taken from the URL and put directly into an SQL query.  It will project your site from SQL injections.

[drisate]

You should make a google search on "xss" or also called "cross site scrypting"

[drisate]

Please note that addslashes is not the correct function to protect you from SQL injections. For example, the following line:

 

$short_desc = addslashes($_POST['short_desc']);

Should look like this:

$short_desc = mysql_real_escape_string($_POST['short_desc']);

 

addslashes() should be deprecated - it does not protect against SQL injections