A customer recently asked us to perform some enhancements to some code they’d purchased – when we started looking at it, some obvious glaring security holes stood out –
//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value) {
$_GET[$key] = mysql_real_escape_string($value);
}
And –
if (isset($_GET["job_id"])) {
$job_id = mysql_real_escape_string($_GET["job_id"]);
}
// ....
$job = getJob($job_id);
function getJob($job_id)
{
// ...
$sql = "SELECT * FROM jobs WHERE jobs.id = $job_id";
$rs = $db->Execute($sql);
// ...
}
(For the above example, the solution can be simple (casting $job_id to an integer before using it) or slightly more invasive – for example changing the code to use SQL prepared statements)