Forked from terrymun/bettermysql-sanitize-input.php
Last active
August 29, 2015 14:27
-
-
Save krisatkinson/1d571a6d4f61f15353d7 to your computer and use it in GitHub Desktop.
Revisions
-
terrymun revised this gist
Aug 19, 2015 . No changes.There are no files selected for viewing
-
Aug 19, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ <?php // Assuming that database connection is already open // Let's say a user is allowed to provide a table name to query from $tableName = trim($_GET['tableName']); -
Aug 18, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ // Assuming that database connection is established via $db object // Let's say a user is allowed to provide a table name to query from $tableName = trim($_GET['tableName']); // This would NOT work (no good!) $stmt = $db->prepare("SELECT user, id, email FROM :table WHERE id > 1000"); -
Aug 18, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,26 @@ <?php // Assuming that database connection is established via $db object // Let's say a user is allowed to provide a table name to query from $tableName = $_GET['tableName']; // This would NOT work (no good!) $stmt = $db->prepare("SELECT user, id, email FROM :table WHERE id > 1000"); $stmt->bindParam(':table', $tableName); $stmt->execute(); // More... // This would work (OSSOM) // Check user input against a whitelist $tableNames = array('userdata1', 'userdata2', 'userdata3'); // If user input matches an entry within the whitelist, go ahead if(in_array($tableName, $tableNames)) { $stmt = $db->prepare("SELECT user, id, email FROM `$tableName` WHERE id > 1000"); $stmt->execute(); // More... } else { // Throw an error } ?>