Linux and PHP web application support and development (Bromsgrove, UK)

What you don’t want to see ….

August 29, 2012, palepurple, development, security, , 0

A customer recently asked us to perform some enhancements to some code they’d purchased – when we started looking at it, some obvious glaring security holes stood out –

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value) {
    $_GET[$key] = mysql_real_escape_string($value);
}

And –

if (isset($_GET["job_id"])) {
    $job_id = mysql_real_escape_string($_GET["job_id"]);
}
// ....     
$job = getJob($job_id);

function getJob($job_id)
{
    // ...
    $sql = "SELECT * FROM jobs WHERE jobs.id = $job_id";
    $rs = $db->Execute($sql);
    // ...
}

(For the above example, the solution can be simple (casting $job_id to an integer before using it) or slightly more invasive – for example changing the code to use SQL prepared statements)

Leave a Reply

Your email address will not be published. Required fields are marked *

Share

Search

Customer Quotes

  • Incredibly knowledgeable, David’s team are efficient, friendly and respond immediately to any external issues. Having managed our four web servers for over two years now I would highly recommend their services to anyone. They have certainly helped us to grow with ongoing advice, 24/7 technical support and disaster recovery when needed. Paul Abrahams
    CrouchendMedia.co.uk

Copyright Pale Purple Ltd 2006 - 2013. Pale Purple is a trading name of Pale Purple Limited, Registered in England and Wales (Registered No. 5580814)