NYCPHP Meetup

[IAlsoAgree at stny.rr.com]

Doesn't matter. I do tests on all the data for validity before I try to
do anything with it. In this case, postid is checked against the
database for a valid post id (that also isn't a response to a post)
before ANY actions are taken. Same is done for the page number. The page
number is checked to make sure there will actually be posts on that page
before any action is taken. Thus, a user can type whatever he/she wants
for either, a script will react appropriately.

-Joe

----- Original Message -----
From: Chris Shiflett <shiflett at php.net>
Date: Wednesday, April 12, 2006 10:53 pm
Subject: Re: [nycphp-talk] PHP Error - Need Help Debugging
To: NYPHP Talk <talk at lists.nyphp.org>

> IAlsoAgree at stny.rr.com wrote:
> > $checkreplies = "SELECT posts.postid, posts.subject, posts.body,
> > posts.created, users.userid, users.username, users.aim, 
> users.created,> users.admin FROM posts, users WHERE posts.postid = 
> \"$_GET[id]\" AND
> > posts.userid = users.userid AND posts.replyto = $_GET[postid] LIMIT
> > ".($pagecount-1)*10-1.", 10";
> 
> It sounds like you've fixed your immediate problem, but I'd like to 
> stress the risk in letting a user modify your SQL query like this. 
> Every 
> time you use $_GET['id'] or $_GET['postid'], it's like handing over 
> your 
> keyboard to the user - you never know what he will type.
> 
> Chris
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>