Marc Fromm wrote:
> This is my code:
> <?php
> $dbconn = pg_connect("host=localhost port=5432 user=postgres dbname=studentalerts");
>
> if(isset($_GET["value"])){
> $w_number=$_GET["value"];
> }
> //echo $w_number;
>
> $query = "select first_name, last_name, alert from alert_list where w_number='$w_number'";
>
You should probably be using code that looks like this:
$query = "select first_name, last_name, alert from alert_list where w_number='" . pg_escape_string($w_number) . "'"
Otherwise you're vulnerable to SQL Injection attacks.. For example, what happens if w_number looks like this:
' UNION ALL select usename, passwd, '1' from pg_shadow where 'a'='a
Granted, your user might not have sufficient privileges to view *that* information (of course, your app connects as
postgres,so they probably would have access to that data), but there are lots of other nifty things that an attacker
couldgather to subvert your system. One might be:
' UNION ALL select ccnumber, cid, addr1 from creditcards where 'a'='a
> $result = pg_query($dbconn,$query);
> if (!$result) {
> echo "Problem with query " . $query . "<br/>";
> echo pg_last_error();
> exit();
> }
>
> $rows = pg_fetch_assoc($result);
>
This line ( $rows=pg_fetch_assoc($result);) should be:
$rows = pg_num_rows($result)
You just want to check that there were results, right?
Every time you call pg_fetch_assoc($result) the result set is advanced
to the next row of results, so you shouldn't use this unless you want to
actually process a row of results...
Generally speaking, you might have an easier time of interfacing with
the database if you use an abstraction layer like ADODB
(http://adodb.sf.net)
--
Chander Ganesan
Open Technology Group, Inc.
One Copley Parkway, Suite 210
Morrisville, NC 27560
919-463-0999/877-258-8987
http://www.otg-nc.com
Ask me about Expert PostgreSQL, PHP, Python, and other Open Source training!
