[nycphp-talk] PHP Error - Need Help Debugging
Rolan Yang
rolan at omnistep.com
Thu Apr 13 22:24:18 EDT 2006
Heh, I am surprised it took that many responses to arrive at the correct
answer.
Adding to Chris' comment about sql security, If your query used to
validate the id and postid are formatted in the same manner (including
{$_GET['id']} in the query), someone could inject a query into yours...
Something disasterous might be if the hacker manually posted with an $id
value "1; DELETE * FROM USERS; select * from posts,users where 1=1"
To be safe, I try to keep all my id's as integers and do something like:
$id=intval($_GET['id']);
~Rolan
drydell at optonline.net wrote:
> the syntax error has to do with $_GET[id] and $_GET[postid]...
>
> WHERE posts.postid = \"{$_GET['id']}\" AND posts.userid = users.userid AND posts.replyto = {$_GET['postid']} would fix the syntax error
>
>
>> I'm getting the following error:
>> Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING
>>
>> The line of code is:
>> $checkreplies = "SELECT posts.postid, posts.subject, posts.body,
>> posts.created, users.userid, users.username, users.aim, users.created,
>> users.admin FROM posts, users WHERE posts.postid = \"$_GET[id]\" AND
>> posts.userid = users.userid AND posts.replyto = $_GET[postid] LIMIT
>> ".($pagecount-1)*10-1.", 10";
>
More information about the talk
mailing list