So, in my efforts to get a better understanding of PHP & MySQL I've started working on this basic pastebin type of script.
At the moment I have been able to paste something and submit it to the database using PDO. However, if someone submits anything that's PHP the results page will attempt to execute the code.
Any insight to point me to the right direction?
If a string is executed you are doing something wrong, this should never happen. Could you please provide your code?
(2013-08-23, 11:25 AM)StefanT Wrote: [ -> ]If a string is executed you are doing something wrong, this should never happen. Could you please provide your code?
I'm using a GET request to execute a PDO query which grabs the data from a column then parsing that to display it on the page.
If that column has something like "echo 'hello'" then it will execute.
Post your code. How is anyone supposed to trouble shoot your issue without physically seeing your code ?
First script? Good job on using PDO instead of mysql_*.
Just a note, your script is vulnerable to SQL injection -- if I provided something like this as a value (assuming $_GET['id'] is a number): 12;DROP TABLE content, your db would be compromised. Just a security tip, code as if the end user will exploit the script. I do not use PDO myself (I prefer mysqli), but I think the correct function to use is $stmt->quote($_GET['id']) or (int)$_GET['id'].
Anyway onto your actual issue.
You're not doing anything foolish in the script as far as I can see. To clarify, if I were to post "echo 'foo'", then 'foo' would be outputted? If so, something is wrong with your script, as that should only happen when a certain function (eval()) is involved. Try locating the erraneous line by commenting out other lines until you've found it. I suspect it's line 24 (echo "$value<br />"
, but we can't be too sure.
And since you're welcoming protips, here's a few:
- as I said,
never trust user input.
- if you declare a variable, use it. You set $gRequest to $_GET['id'] then use $_GET['id'] straight after instead of $gRequest.
- in your HTML, setting the action attribute to nothing (ie action="") is the same as redirecting it to $_SERVER['PHP_SELF'].
- if(isset($_GET['id']) == false) is the same as if(!isset($_GET['id'])), the latter is shorter.
- echo $ex should be echo $ex->getMessage().
Yea, the reason why it's executing is because the output is done within the php tags.
I'll look into it more, I kinda figured I was still prone to SQL injection since I haven't really looked into prepared statements.
For your
echo "$value<br />";, try instead
echo $value . "<br />";. IDK if that'll help, but it might.
Also, when preparing your SQL, instead of directly dumping the values into the query, take advantage of the one feature PDO has over the raw SQL libraries: parameterized queries (I have no idea if that's actually what it's called).
One example:
// Instead of this:
$stmt = $connection->prepare("SELECT c FROM t WHERE ID=$v");
$stmt->execute();
$result = $stmt->fetch(\PDO::FETCH_ASSOC);
// Use this:
$stmt = $connection->prepare("SELECT c FROM t WHERE ID=:v");
$stmt->execute(array('v' => $variable));
$result = $stmt->fetch(\PDO::FETCH_ASSOC);
It automatically escapes all the parameters for you. If you have multiple variables, just add them to that array in the execute().
There are also a few little stylistic things that could be fixed to be more in line with what most programmers would consider normal but nothing that would break the program.
@Firestryke -- Prepared query is the name you're looking for.