Linux and PHP web application support and development (Bromsgrove, UK)

tel: 0845 0046746

What you don’t want to see ….

A customer recently asked us to perform some enhancements to some code they’d purchased – when we started looking at it, some obvious glaring security holes stood out –

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value) {
    $_GET[$key] = mysql_real_escape_string($value);
}

And –

if (isset($_GET["job_id"])) {
    $job_id = mysql_real_escape_string($_GET["job_id"]);
}
// ....     
$job = getJob($job_id);

function getJob($job_id)
{
    // ...
    $sql = "SELECT * FROM jobs WHERE jobs.id = $job_id";
    $rs = $db->Execute($sql);
    // ...
}

(For the above example, the solution can be simple (casting $job_id to an integer before using it) or slightly more invasive – for example changing the code to use SQL prepared statements)

Leave a Reply

Your email address will not be published. Required fields are marked *