The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. October 16, 2019, 05:42:05 AM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: nubian mularkey  (Read 3965 times)
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« on: January 07, 2008, 09:46:59 PM »

$sql = 'INSERT INTO testtable ('fieldone', 'fieldtwo') VALUES ('.$_REQUEST["companyname"].',\'two\');';

What am i doing wrong here?  D'oh!

Parse error:  syntax error, unexpected T_STRING in /home/test.php on line 22

Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: January 07, 2008, 11:22:32 PM »

When you want to deref a complex variable (an array, object reference, method or function) you need to enclose the entire thing in curly braces. Here is a better way to do that:

$sql = "insert into testtable(field1, field2) values('{$_REQUEST["companyname"]}', 'two')";

However: If that $_REQUEST variable is coming directly from a POST form, you are opening yourself to a huge security risk. So huge, in fact, that if you ever do this I'd like you to give me the url so that I can gain utter control of your MySQL server and have another borgbot for free. But I digress.

$company = trim($_REQUEST['companyname']);
$company = preg_replace('/[^A-Z0-9 -._]/i', $company);

If this is too drastic, you can probably get away with
$company = mysql_escape_string(trim($_REQUEST['companyname']))

THEN
$sql = "insert into testtable(field1, field2) values('$company', 'two')";

but I wouldn't do it.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #2 on: January 08, 2008, 04:03:31 AM »

Are there any particular failings in mysql_escape_string that your aware of Perk?
Logged
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #3 on: January 08, 2008, 08:32:54 AM »

Perk used to chide me for doing everything on one line.
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #4 on: January 08, 2008, 09:40:06 AM »

 ROFLMAO well, whole programs written to ascertain the meaning of 42 on a single line are a bit different than nesting a few string handling routines in a single line, no?

And for clarification: I put LOTS on a single line for my own self, if it's very readable. This is because I'll get a tiny-tiny performance bump from PHP, whereas lots more lines to compile will take a tiny-tiny performance hit. If I'm doing something for anyone else to look at I explode lines so they can read it, or if the line itself is tricky enough that I can see I won't understand my own code in 3 months then I explode it as well.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #5 on: January 08, 2008, 09:58:35 AM »

i like as little in the way of my 'tardedness as possible,
so i keep it line by line until its done forever (like that happens)
then at the end i will try to optimize but thats so difficult
for me in php cause of the symbolyness..  someone needs
to invent their own robotic language without so many symbols
so that you can just just start coding and have fun without
it puking spaces after semi colons out back at you ... Wink

thanks, perk that werked i needed the #123 #125 tip..

 
« Last Edit: January 08, 2008, 10:01:35 AM by jammaster82 » Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #6 on: January 08, 2008, 10:09:18 AM »

nw lad
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #7 on: January 08, 2008, 01:10:29 PM »

RE: $_REQUEST from post

SO... How can i not expose my turd chewer then?
Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #8 on: January 08, 2008, 01:50:30 PM »

Well, your post variables will still come up as normal because that's how HTTP works. But the goal is to isolate the inbound $_POST variables from actuary code ie., NEVER let code come straight from your GET or POST variables and touch/modify/execute PHP code or MySQL stuff. That's just a recipe for disaster. For example - if a GET parameter defines what page I will show, then I will look at the inbound $_GET value in a switch statement and then do what I expect OR I will bounce somewhere with a hack notification. See, I know what I should see when a page request comes in - it is laziness to not confirm that what is coming in is within *exactly* what I expect. That's all.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #9 on: January 08, 2008, 02:57:21 PM »

Thank God that most people use poor coding practices though, or I would be out of business.
Logged

hai
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!