Linux and PHP web application support and development (Bromsgrove, UK)

What you don’t want to see ….

August 29, 2012, palepurple, development, security, , 0

A customer recently asked us to perform some enhancements to some code they’d purchased – when we started looking at it, some obvious glaring security holes stood out –

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value) {
    $_GET[$key] = mysql_real_escape_string($value);
}

And –

if (isset($_GET["job_id"])) {
    $job_id = mysql_real_escape_string($_GET["job_id"]);
}
// ....     
$job = getJob($job_id);

function getJob($job_id)
{
    // ...
    $sql = "SELECT * FROM jobs WHERE jobs.id = $job_id";
    $rs = $db->Execute($sql);
    // ...
}

(For the above example, the solution can be simple (casting $job_id to an integer before using it) or slightly more invasive – for example changing the code to use SQL prepared statements)

Leave a Reply

Your email address will not be published. Required fields are marked *

Share

Search

Customer Quotes

  • Pale Purple have been a great asset to Anorak. Whenever we need any technical and design work for our websites, David and his team are our first port of call. They have been professional, knowledgable, patient and willing to produce creative and cost-effective solutions to deadline. Paul Sorene
    Anorak.co.uk

Copyright Pale Purple Ltd 2006 - 2013. Pale Purple is a trading name of Pale Purple Limited, Registered in England and Wales (Registered No. 5580814)