genesisvh
asked on
Protect from changing id=
I'm wondering if anyone can help me protect the following script from someone changing the id= and any other type of mysql injection. Thanks
<?php
include "dbaptsConfig.php";
include "searchaptsstyle.css";
// test id, you need to replace this with whatever id you want the result from
$id = $_GET['id'];
// what you want to ask the db
$query = "SELECT * FROM `apartments` WHERE `id` = $id";
// actually asking the db
$res = mysql_query($query, $ms);
// recieving the answer from the db (you can only use this line if there is always only one result, otherwise will give error)
$result = mysql_fetch_assoc($res);
// if you uncomment the next line it prints out the whole result as an array (prints out the image as weird characters)
// print_r($result);
// print out specific information (not the whole array)
echo "<br/>";
echo "<div id='title'><div align='center'>".$result['title']."<br/></div>";
echo "<br/>";
echo "<div id='description'><div align='center'>".$result['description']."<br /></div>";
echo "<br/>";
echo "<div id='table'><div align='left'><tr>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider's Phone Number: ".$result['phone']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider: ".$result['service']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Borough: ".$result['county']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Town: ".$result['town']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bedrooms: ".$result['rooms']."</td>";
echo "<td> </td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bathrooms: ".$result['bath']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Square Footage: ".$result['square']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Rent: ".$result['rent']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Listed On: ".$result['time']."<br /></td>";
echo "<br/>";
echo "Click on Images to Enlarge";
echo "</tr></div>";
?><?php
include "dbaptsConfig.php";
include "searchaptsstyle.css";
// test id, you need to replace this with whatever id you want the result from
$id = $_GET['id'];
// what you want to ask the db
$query = "SELECT * FROM `apartments` WHERE `id` = $id";
// actually asking the db
$res = mysql_query($query, $ms);
// recieving the answer from the db (you can only use this line if there is always only one result, otherwise will give error)
$result = mysql_fetch_assoc($res);
// if you uncomment the next line it prints out the whole result as an array (prints out the image as weird characters)
// print_r($result);
// print out specific information (not the whole array)
echo "<br/>";
echo "<div id='title'><div align='center'>".$result['title']."<br/></div>";
echo "<br/>";
echo "<div id='description'><div align='center'>".$result['description']."<br /></div>";
echo "<br/>";
echo "<div id='table'><div align='left'><tr>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider's Phone Number: ".$result['phone']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Provider: ".$result['service']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Borough: ".$result['county']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Town: ".$result['town']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bedrooms: ".$result['rooms']."</td>";
echo "<td> </td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Bathrooms: ".$result['bath']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Square Footage: ".$result['square']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Rent: ".$result['rent']."<br /></td>";
echo "<td bgcolor='#FFFFFF' style='color: #000' align='center'> Listed On: ".$result['time']."<br /></td>";
echo "<br/>";
echo "Click on Images to Enlarge";
echo "</tr></div>";
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could but it might just take the first thing that looks like a number to compare against and still leave a string after it that could compromise your database. Remember that a ';' is the end of a statement in MySQL so if $id is a string like "11;DELETE FROM apartments;", it will erase all of the rows in your table.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have to split the points, but all these answers are great. Thanks.