| Subject: | You've got a big SQL Injection... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 3 |
|---|
| Author: | Kai Dorschner |
|---|
| Date: | 2009-08-03 09:14:33 |
|---|
| Update: | 2009-08-03 10:15:05 |
|---|
| |
|
|
Kai Dorschner rated this package as follows:
| Utility: | Sufficient |
|---|
| Consistency: | Insufficient |
|---|
| Documentation: | Sufficient |
|---|
| Examples: | Good |
|---|
|
|
 Kai Dorschner - 2009-08-03 09:14:33 You've got a big SQL Injection problem in for example your showRating(); method. You parametrized $_GET['item_id']; without ANY check (htmlentities, or else). This var is directly inserted into a MYSQL string!
Be careful with SQL.
Greets,
Kai
 Manish Khanchandani - 2009-08-03 09:35:00 - In reply to message 1 from Kai Dorschner$_GET['item_id'] is taken as an example of how you will use this class. It is upto you how you take the item_id or product_id or any unique key id in your application. If you want, you can pass item id with htmlentities. I have given one example of how to use this class.
Kai Dorschner - 2009-08-03 10:15:05 - In reply to message 2 from Manish KhanchandaniYour answer is quite correct, but don't you think for encapsulation and usability reasons it's better to to implement the SQL-checking-routine inside your classes so nobody has to grapple with those sticky things.
Btw. you should even document that one has to implement this routine, if you won't implement it by yourself. Not everyone is that save to handle that problem.
Greets,
Kai
|
