Steve Macleod wrote:
<snip>
for ( $marker=1; $marker<=$number_of_records; $marker++) {
$sql = "UPDATE faq SET faq_quest='$_POST[txt_$marker]',
faq_ans='$_POST[txt_ans$marker]' WHERE faq_id = '$_POST[txt_ans$marker]'";
//code here to actually RUN the SQL query
}
This code is insecure! You're leaving yourself open to an SQL injection
attack.
Do you check what $_POST[txt_1] etc contain first? If not, you could be
letting yourself in for a whole world of trouble.
Say I post the param txt_1 to the script (along with the other params needed
to fool it into running etc).
Imagine that I set the value of txt_1 to:
"'; DROP DATABASE mysql; -- "
(the double quotes indicate the start and end, the single quote is part of
the value).
That means you're running two queries, and if the attack is carried out
right, the second query ('injected' into the SQL) could do some damage. If
your setup is anywhere near secure then the MySQL user you're connected to
the DB as would not have the right to drop the 'mysql' database, but it's
an example of what could happen.
The basic rule I'd suggest is to always call addslashes() on EVERY value
that you're going to use in an SQL query. A regular expression can also be
used to remove dodgy characters, or even more secure, remove anything
that's NOT one of the characters you want to allow.
Cheers
Dave P
--
David Precious
http://www.preshweb.co.uk/