Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Server Development
Habbo Retros
Habbo Q&A
PHP News Help
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="CosmoPeak" data-source="post: 391419" data-attributes="member: 68352"><p>If you've used this code, you need to be careful. $_GET['id'] hasn't been sanitised (someone could write SQL in the id parameter and it would be ran directly on your database - look up SQL injection). [USER=57721]@Nicholas[/USER] is partially correct, but simply using MySQLi or PDO doesn't make you immune to SQL injection. You can still use MySQLi/PDO in the same way you can use MySQL. What they should be suggesting is using <em>prepared statements</em>. I looked at a CMS advertised as 'MySQLi' recently which just used MySQLi's query function and still escaped the parameters manually. This is not good practice and not what "use MySQLi or PDO" means at all.</p><p></p><p>In any case, you need to sanitise the user input. Here's an example if you're using RevCMS:</p><p></p><p>(I've changed the first few lines and changed the variable in the MySQL query from $_GET['id'] to $news_id)</p><p></p><p>[code=php]</p><p> <?php</p><p> global $engine;</p><p></p><p> $news_id = 1; // Default value</p><p></p><p> if(isset($_GET['id']) && is_numeric($_GET['id']))</p><p> $news_id = $engine->secure($_GET['id']); // Sanitised input</p><p></p><p> $author = mysql_fetch_array(mysql_query("SELECT author FROM cms_news WHERE id = " . $news_id)); // Use the sanitised and SQL-injection free value</p><p> $a = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE id = ".$author['author']));</p><p> $look = $a['look'];</p><p> $user = $a['username'];</p><p> echo '<div id="userAvatar" style="margin-bottom: 10px;;float:left;width: 75px;height:70px;background: url(http://avatar-retro.com/habbo-imaging/avatarimage?figure='.$look.'&amp;action=drk&amp;direction=3&amp;head_direction=3&amp;gesture=sml&amp;size=1) no-repeat;"></div></p><p> <div id="slickTitle" style="margin-top:17px;" class="newsAuthor"><a href="/home/'.$user.'" style="text-decoration:none;color:#666;">'.$user.'</a><span class="newstext"><b>{newsDate}</b></span></div>';</p><p> ?></p><p>[/code]</p></blockquote><p></p>
[QUOTE="CosmoPeak, post: 391419, member: 68352"] If you've used this code, you need to be careful. $_GET['id'] hasn't been sanitised (someone could write SQL in the id parameter and it would be ran directly on your database - look up SQL injection). [USER=57721]@Nicholas[/USER] is partially correct, but simply using MySQLi or PDO doesn't make you immune to SQL injection. You can still use MySQLi/PDO in the same way you can use MySQL. What they should be suggesting is using [I]prepared statements[/I]. I looked at a CMS advertised as 'MySQLi' recently which just used MySQLi's query function and still escaped the parameters manually. This is not good practice and not what "use MySQLi or PDO" means at all. In any case, you need to sanitise the user input. Here's an example if you're using RevCMS: (I've changed the first few lines and changed the variable in the MySQL query from $_GET['id'] to $news_id) [code=php] <?php global $engine; $news_id = 1; // Default value if(isset($_GET['id']) && is_numeric($_GET['id'])) $news_id = $engine->secure($_GET['id']); // Sanitised input $author = mysql_fetch_array(mysql_query("SELECT author FROM cms_news WHERE id = " . $news_id)); // Use the sanitised and SQL-injection free value $a = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE id = ".$author['author'])); $look = $a['look']; $user = $a['username']; echo '<div id="userAvatar" style="margin-bottom: 10px;;float:left;width: 75px;height:70px;background: url(http://avatar-retro.com/habbo-imaging/avatarimage?figure='.$look.'&action=drk&direction=3&head_direction=3&gesture=sml&size=1) no-repeat;"></div> <div id="slickTitle" style="margin-top:17px;" class="newsAuthor"><a href="/home/'.$user.'" style="text-decoration:none;color:#666;">'.$user.'</a><span class="newstext"><b>{newsDate}</b></span></div>'; ?> [/code] [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Server Development
Habbo Retros
Habbo Q&A
PHP News Help
Top