Hello there, this is my first post (and I’m sure you would have figured that out in short order
In the below example I understand that the '_SERVER[‘PATH_INFO’ line just removes all slashes in the load Path of the Server and doesn’t really relate to any SQL injection.
I see that the real concern is that a malicious person may be able to modify the content of the server variable, and in that case, because in the second line there is no filtering of the data in the use of the $_Get[‘id’], which is just a string, that it may contain just about anything.
So, if a bad actor puts “‘myfilename’; drop Database;” into $_SERVER[‘PATHINFO’], he/she may be able to delete the entire Database of the Server.
So… here are my 2 questions:
-
Why do we even need have the load Path of the Server there? If a form is always referencing a particular database somewhere, shouldn’t that info be static in some private file?
-
In reading about this class of exploit, there seem to be two basic ways to resolve this:
Via a bit of code that (I presume) basically says, “I as the designer, expect to see only the number 0-9 inputted, test for this, and disallow everything else” [aka “Input Validation with a Whitelist”]
Or, via a code function that says “filter/exclude input content of the following type, semicolons, negative numbers, etc” [Using Parameterized Queries]
Assuming the only legal permissible input is 0-9… Can someone show me examples of these two functions please?
Finally I’ve seen referenced a PHP library call that achieves some or all of the above, vis-a-vis filtering. How commonly used is that?
include_once "lib/db.php";
include "lib/sql_form.php";
if(!$_GET['id'])
$_GET['id'] = str_replace("/", "", $_SERVER['PATH_INFO']);
$query = "SELECT * FROM listings WHERE id = ".$_GET['id'];
$result = mysql_query($query);
Thank you so much, I appreciate any insight anyone has.