View Single Post
07-04-2009, 03:55 PM
#10
Village Genius is offline Village Genius
Village Genius's Avatar
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
 
Posts: 6,893
iTrader: 18 / 100%
 

Village Genius will become famous soon enough

  Old

Your integers still seem to be insecure, the page http://cms.rodadewa.net/indexsub.php...BY%20id%20DESC
will take you to your latest article because I rewired the query to do so. When you have an integer field you are putting in the database without quotes, typecast it to int.

This is because mysql_real_escape_string secures against ending the quote and executing commands, but does nothing against plain words because they are normally valid parts of strings. The two ways against there are putting quotes around the int field (the mysql manual recommends this) and typecasting the variable to int
PHP Code:
//Method One
$query "SELECT * FROM table WHERE id='$id'";

//Method Two
$forcedInt = (int)$_GET["id"];
query="SELECT * FROM table WHERE id=$forcedInt"
While secure, both these method leave room for harmless (but annoying) errors. I seggust you further validate that you are workng with a correct format opposed to letting the system catch it at the last second.

Reply With Quote