CodeDump
Daniel Antón García Daniel Antón García - 1 year ago 110
SQL Question

Possible security flaw php and SQL

So I have this code which basicaly retrieves data from a mysql database:

$categoria = $_GET['categoria'];

if($categoria ==""){}else{

$consulta = @mysql_query("SELECT * FROM productos where categoria='$categoria' ORDER BY     nombre ASC");

while($seleccion = @mysql_fetch_array($consulta)){

$nombre = $seleccion['nombre'];

$referencia = $seleccion['referencia'];

$descripcion = $seleccion['descripcion']; 

$imagen = $seleccion['imagen'];


And well after that I echo all of the variables... I was wondering, might there be any problem regarding security with a code like this? Is there any risk of it being hacked?
Thanks!

DevZer0 DevZer0
Answer Source

With your existing setup of mysql extension the best approach to follow is at least passing the strings through mysql_real_escape_string. If you can move to mysqli or pdo based setup that would be ideal. 

$consulta = @mysql_query("SELECT * FROM productos where categoria='" . mysql_real_escape_string($categoria) . "' ORDER BY     nombre ASC");

Also a side note from Simon its best you don't prefix the statement with @. This adds a bit of overhead to the execution. You should handle errors with error_reporting and display_errors.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Sign up

Sign up with GitHub
Latest added
Olympus DVR recording date and time extractor
multitouchtest.html
metatype_loop_question
example_loop
-1 down vote favorite I have a listing page (call it a page to list the draft blogs or unpublished blogs). When I click a blog item from the draft, it shows the details on read-only format It provides four functionalities - Close, Edit, Delete, Publish. I have completed Close by calling {% url 'blog:drafts' %}, Edit by calling a class derived from UpdateView and delete by calling a class derived from DeleteView. However, I am stuck at publish since there is no view present to create a class based view and get it done. Other option was to define a function and then invoke that function in urls.py I run into issues when I try this I keep receiving error saying that the function that I invoked is not a valid view I am stuck at this error message for days. Is there any alternate ways to write a "publish" function inside the DetailView class and then invoke that function for the active object from the html template?
HS110 Python
......
alert
Create and Schedule Cron Jobs Easily with Laravel
Installing Laravel on Cloudways Laravel hosting
Rotating panels
http://aurvu.com
http://so4m6.com
FNISaa2 Papyrus
GenerateFNISUsers
FNIScommon1
FNISaa1
woocommmercerestapi.php
fsagsas
test for the future