I noticed a lot of people gave some good advice, but one thing they forgot
to mention is the AddSlashes command of php. It basically does all the
necessary special-character escaping for you, so the worst thing someone
can do by enterring bad data in your forms is bring up a page with bad
results. It works like this:
$pgResults=pgExec($dbCon, "SELECT field1, field2 FROM table WHERE field1 =
'" . AddSlashes($FormVar) . "'");
It's also a VERY good idea to do some basic sanity checking on all your
form data before even starting to build a query string. Ie, if you are
expecting $PageNumber to be an integer, then do a
if (!ereg("[![:digit:]]", $PageNumber)) { print "Bad form data!"; exit; }
At the top of your script. It's annoying to have to validate ALL your
variables (especially when you get into forms that have 15-20 fields) but
it's necessary if you don't want some script kiddy to come along and screw
up your site.
At 05:00 AM 10/17/00, Rikul Patel wrote:
>Hi,
>
>Is there any way I can restrict number of queries to
>only one? Here's the problem:
>
>If PHP script gets some data as input from user, and
>PHP scripts tries to put this data into Postgresql,
>what's keeping the user to modify the data in way to
>have postgresql execute two queries.
>
>So instead of some PHP script generating query like
>"select * from table where text='some text' or id=1",
>some malicious user could make it generate "select *
>from table where text='some text' or id=1;delete from
>table"
>
>Thanks,
>Rikul
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Messenger - Talk while you surf! It's FREE.
>http://im.yahoo.com/