Pyro Posted April 14, 2005 Share Posted April 14, 2005 While making some basic PHP-code for a site, I've created this small script: //This script has been modified, variables have been changed/removed for security reason. <? mysql_connect($host,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query="SELECT * FROM info"; $result=mysql_query($query); mysql_close(); $article = $_GET["article"]; $content=mysql_result($result,$article,"content"); echo "$content"; ?> What it does is use the URL (like if you enter hi.php?article=5 it will find article number 5) to get the right document from the database. However, I'm a bit concerned about security. My knowledge of PHP is a bit lacking, basically I can create a script like this and mod phpbb, but that's about it. Are there any obvious security flaws in this way of using a database? Beyond that, I'd like to tweak it a bit. At the moment, the table it uses looks like this: ID | CONTENT 0 | Blabla 1 | Blabla 2 | Blabla Et cetera. When I use the above script to get an article, the script does not get the article that has the relevant ID number, it gets the article with that position in the table. Now, they are both the same so it doesn't matter, but it's a bit inconvenient for those times when I need to make changes to it. Is there a simple way to make it go by the ID column instead of location in the table? Cheers. Link to comment Share on other sites More sharing options...
Ks_Jeppe Posted April 14, 2005 Share Posted April 14, 2005 If you make it $article = int($_GET["article"]); instead, it'll make convert the $_GET value into a number... Any text would get the number 0, so if a hacker would try to use a inject here, it wouldn't work... It's the same method used on tip.it, and we havent been (that way) hacked yet ;) Link to comment Share on other sites More sharing options...
Ks_Jeppe Posted April 14, 2005 Share Posted April 14, 2005 And about the selection thing... //This script has been modified, variables have been changed/removed for security reason. <? $article = intval($_GET["article"]); mysql_connect($host,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "SELECT * FROM info WHERE id = ".$article; $result = mysql_query($query); while ($myrow = mysql_fetch_array($result)) { print $myrow['content']; } mysql_close(); ?>Also, make ID a primery key field.. Link to comment Share on other sites More sharing options...
Pyro Posted April 14, 2005 Author Share Posted April 14, 2005 Thanks for the help, both scripts work great! :) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now