My CMS please test it out - Webmaster Forum - Web Design, Programming and SEO forums

07-04-2009, 03:55 PM

#10

Village Genius

Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++

Posts: 6,894

iTrader: 18 / 100%

Village Genius will become famous soon enough

Your integers still seem to be insecure, the page http://cms.rodadewa.net/indexsub.php...BY%20id%20DESC
will take you to your latest article because I rewired the query to do so. When you have an integer field you are putting in the database without quotes, typecast it to int.

This is because mysql_real_escape_string secures against ending the quote and executing commands, but does nothing against plain words because they are normally valid parts of strings. The two ways against there are putting quotes around the int field (the mysql manual recommends this) and typecasting the variable to int

PHP Code:


			
//Method One
$query = "SELECT * FROM table WHERE id='$id'";

//Method Two
$forcedInt = (int)$_GET["id"];
query="SELECT * FROM table WHERE id=$forcedInt";

While secure, both these method leave room for harmless (but annoying) errors. I seggust you further validate that you are workng with a correct format opposed to letting the system catch it at the last second.