Code: Select all
@ini_set('display_errors', 'on');
Is this code safe?
Moderators: egami, macek, gesf
-
seandisanti
- php-forum Fan User
- Posts: 973
- Joined: Mon Oct 01, 2012 12:32 pm
right off the bat I'd remove the line
you only want errors on in dev environment. in real world they can communicate info you do not want shared, including table names etc. if given the correct input. Also, this may sound nitpicky, but personally i believe that 'SELECT *' is bad form in general. I typically prefer explicitly named fields in select statements. In cases where you have multiple tables linked, it can really cut down on the size of the result set. You're also implicitly trusting the form posting your data by not verifying even as much as the referer or the post fields.
-
seandisanti
- php-forum Fan User
- Posts: 973
- Joined: Mon Oct 01, 2012 12:32 pm
the asterisk is a wild card used in queries to say 'all fields'. It is better to be deliberate with your requests, like
If you're trying to be security minded, always assume that every user wants to break or compromise your database, pages, etc.
you also want to escape your strings etc. think about if $EAN contained the value "0; DROP TABLE ps_product;" your query to return all rows just turned into 2 queries where the first returns no results, and the second discards the table.SELECT field1,field2,field3 FROM atable WHERE criteria=true
If you're trying to be security minded, always assume that every user wants to break or compromise your database, pages, etc.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT