[svlug] PHP database code not...

Michael Robinson plug_1 at robinson-west.com
Thu Nov 13 20:04:57 PST 2014


On Thu, 2014-11-13 at 11:04 +0100, Ivan Sergio Borgonovo wrote:
> On 11/13/2014 05:51 AM, Michael Robinson wrote:
> 
> Scary!
> Read about input validation.
> 
> > foreach ( $_POST['computers'] as $setcomp )
> > {
> >           chop ($setcomp);
> > 
> >           $query =  "SELECT * FROM computers WHERE computer_name ";
> 
> Scary!
> Read about SQL injection that if I remember right represent 20% of the
> intrusion vector in applications.
> 
> >           $query .= "= '$setcomp';";
> > 
> >           echo "$query";
> > 
> >           $result = pg_query($db,$query);
> 
> pg_fetch_row — Get a row as an enumerated array.
> pg_fetch_row() fetches *one* row of data from the result associated with
> the specified result resource.
> 
> >           $compid = pg_fetch_row($result);
> 
> It looks like this line have to be *in* the loop.
> 
> >           foreach ( $compid as $element )
> >           { echo "<P>$element</P>"; }
> > 
> >           ...
> > }
> 
> 
> -- 
> Ivan Sergio Borgonovo
> http://www.webthatworks.it
> 

If this were accessed in any way other than over a local area network,
input validation would be mandatory and I'm not certain how I would
verify that I'm connecting to the right database.  I guess the wrong
values I'm getting for computer_id are errors?  The code should include
input validation and correct database validation, but right now I'm just
trying to keep things simple.  How do I get the correct computer_id for
each computer I want to associate with a user_id in another table?






More information about the svlug mailing list