Is this code safe?

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

Post Reply
seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Re: Is this code safe?

Post by seandisanti » Mon Feb 11, 2013 11:25 pm

right off the bat I'd remove the line

Code: Select all

@ini_set('display_errors', 'on');
you only want errors on in dev environment. in real world they can communicate info you do not want shared, including table names etc. if given the correct input. Also, this may sound nitpicky, but personally i believe that 'SELECT *' is bad form in general. I typically prefer explicitly named fields in select statements. In cases where you have multiple tables linked, it can really cut down on the size of the result set. You're also implicitly trusting the form posting your data by not verifying even as much as the referer or the post fields.

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 973
Joined: Mon Oct 01, 2012 12:32 pm

Re: Is this code safe?

Post by seandisanti » Fri Feb 15, 2013 3:18 pm

the asterisk is a wild card used in queries to say 'all fields'. It is better to be deliberate with your requests, like
SELECT field1,field2,field3 FROM atable WHERE criteria=true
you also want to escape your strings etc. think about if $EAN contained the value "0; DROP TABLE ps_product;" your query to return all rows just turned into 2 queries where the first returns no results, and the second discards the table.
If you're trying to be security minded, always assume that every user wants to break or compromise your database, pages, etc.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests