Link to home
Start Free TrialLog in
Avatar of genesisvh
genesisvh

asked on

Protect from changing id=

I'm wondering if anyone can help me protect the following script from someone changing the id= and any other type of mysql injection. Thanks
<?php
	include "dbaptsConfig.php";
	include "searchaptsstyle.css";
	// test id, you need to replace this with whatever id you want the result from
	$id = $_GET['id'];
		
	// what you want to ask the db
	$query = "SELECT * FROM `apartments` WHERE `id` = $id";
	
	// actually asking the db
	$res = mysql_query($query, $ms);
		
	// recieving the answer from the db	(you can only use this line if there is always only one result, otherwise will give error)	
	$result = mysql_fetch_assoc($res);

	// if you uncomment the next line it prints out the whole result as an array (prints out the image as weird characters)
	// print_r($result);		

	// print out specific information (not the whole array)			
  	echo "<br/>";
	echo "<div id='title'><div align='center'>".$result['title']."<br/></div>";
	echo "<br/>";
  	echo "<div id='description'><div align='center'>".$result['description']."<br /></div>"; 
	echo "<br/>";
	echo "<div id='table'><div align='left'><tr>"; 	
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider's Phone Number: ".$result['phone']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider: ".$result['service']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Borough: ".$result['county']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Town: ".$result['town']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bedrooms: ".$result['rooms']."</td>";
	echo "<td>&nbsp;&nbsp;&nbsp;</td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bathrooms: ".$result['bath']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Square Footage: ".$result['square']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Rent: ".$result['rent']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Listed On: ".$result['time']."<br /></td>";
	echo "<br/>";
	echo "Click on Images to Enlarge";
	echo "</tr></div>";

?><?php
	include "dbaptsConfig.php";
	include "searchaptsstyle.css";
	// test id, you need to replace this with whatever id you want the result from
	$id = $_GET['id'];
		
	// what you want to ask the db
	$query = "SELECT * FROM `apartments` WHERE `id` = $id";
	
	// actually asking the db
	$res = mysql_query($query, $ms);
		
	// recieving the answer from the db	(you can only use this line if there is always only one result, otherwise will give error)	
	$result = mysql_fetch_assoc($res);

	// if you uncomment the next line it prints out the whole result as an array (prints out the image as weird characters)
	// print_r($result);		

	// print out specific information (not the whole array)			
  	echo "<br/>";
	echo "<div id='title'><div align='center'>".$result['title']."<br/></div>";
	echo "<br/>";
  	echo "<div id='description'><div align='center'>".$result['description']."<br /></div>"; 
	echo "<br/>";
	echo "<div id='table'><div align='left'><tr>"; 	
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider's Phone Number: ".$result['phone']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider: ".$result['service']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Borough: ".$result['county']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Town: ".$result['town']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bedrooms: ".$result['rooms']."</td>";
	echo "<td>&nbsp;&nbsp;&nbsp;</td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bathrooms: ".$result['bath']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Square Footage: ".$result['square']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Rent: ".$result['rent']."<br /></td>";
	echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Listed On: ".$result['time']."<br /></td>";
	echo "<br/>";
	echo "Click on Images to Enlarge";
	echo "</tr></div>";

?>

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You could but it might just take the first thing that looks like a number to compare against and still leave a string after it that could compromise your database.  Remember that a ';' is the end of a statement in MySQL so if $id is a string like "11;DELETE FROM apartments;", it will erase all of the rows in your table.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of genesisvh
genesisvh

ASKER

I have to split the points, but all these answers are great. Thanks.