jbroder
10-26-2000, 05:24 PM
I am working on a php/mysql page that lists a bunch of rows.
http://www.guitartricks.com/2000/style.php?input=Alternative&order_by=title
i want to use the same page for several different musical categories (alternative, in the above example) and allow the user to be able to order the rows by
title, date, author, etc. by clicking links with different
order_by= query strings.
I am passing the get variables into a mysql query like so:
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]SELECT[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]id, mp3_1, user_fullname,[nbsp][nbsp]
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]startdate, title,
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]style, category
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]FROM[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]trick
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]WHERE[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp] style = '$input'
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]AND[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp] category != ''
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]ORDER BY[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]$order_by, user_rank
now this seems like it might be a security hole. can someone
set $input to something nasty?
if so, what approach makes sense to check for that?
I could do a checking query that retrieves all the existing categories and makes sure $input is one of them. But, I am hoping for an easier, softer way to make this safe.
Any help would be greatly appreciated.
Jon
http://www.guitartricks.com/2000/style.php?input=Alternative&order_by=title
i want to use the same page for several different musical categories (alternative, in the above example) and allow the user to be able to order the rows by
title, date, author, etc. by clicking links with different
order_by= query strings.
I am passing the get variables into a mysql query like so:
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]SELECT[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]id, mp3_1, user_fullname,[nbsp][nbsp]
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]startdate, title,
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]style, category
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]FROM[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]trick
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]WHERE[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp] style = '$input'
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]AND[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp] category != ''
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]ORDER BY[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]$order_by, user_rank
now this seems like it might be a security hole. can someone
set $input to something nasty?
if so, what approach makes sense to check for that?
I could do a checking query that retrieves all the existing categories and makes sure $input is one of them. But, I am hoping for an easier, softer way to make this safe.
Any help would be greatly appreciated.
Jon