Re: [PHP-DB] PHP & Database Problems -- Code Snippets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

I noticed the use of SQL concatenation like:


$allowed_fields = array
   (  'Site' =>$_POST['Site'], 'MedRec' => $_POST['MedRec'], 'Fname' => $_POST['Fname'], 'Lname' => $_POST['Lname'] ,
	   'Phone' => $_POST['Phone'] , 'Sex' => $_POST['Sex']  , 'Height' => $_POST['Height']  );

if(empty($allowed_fields))
{
	echo "ouch";
}

$query = "select * from Intake3 where 1 ";

foreach ( $allowed_fields as $key => $val )
{
if ( (($val != '')) )

{
$query .= " AND ($key = '$val') ";
}
$result1 = mysqli_query($cxn, $query);
}


and like


$query2 = "select * from Visit3 where 1 AND (Site = 'AA') AND (MedRec = $_GLOBALS[mdr])";


This is a "SQL Injection" security risk.  There is a lot of material
on the web about this, e.g
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet

I cannot strongly enough suggest you rewrite the app to mitigate
against this issue.

Also, set error_reporting = E_ALL & E_STRICT in your php.ini file to
help you identify some of your other code issues.

Chris

--
christopher.jones@xxxxxxxxxx
http://twitter.com/#!/ghrd

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [Find Someone]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux