Comments on: Creating People friendly URLs using PHP and MYSQL http://imgiseverything.co.uk/2005/10/12/creating-people-friendly-urls-using-php-and-mysql/ Manchester web designer Phil Thompson Wed, 07 Jan 2009 04:16:04 +0000 http://wordpress.org/?v=2.7 hourly 1 By: phil http://imgiseverything.co.uk/2005/10/12/creating-people-friendly-urls-using-php-and-mysql/comment-page-1/#comment-59004 phil Sat, 19 Jan 2008 17:15:39 +0000 http://imgiseverything.co.uk/2005/10/12/creating-people-friendly-urls-using-php-and-mysql/#comment-59004 Quite right marchaos, the examples above shouldn't be copied and pasted as they are vulnerable to this kind of hack. A better idea is to escape your value eg SELECT * FROM articles WHERE title_html = ' escape($_GET['title'])'; where escape() would contain all your data cleansing functions of choice eg addslashes() or mysql_real_escape_string() Quite right marchaos, the examples above shouldn’t be copied and pasted as they are vulnerable to this kind of hack.

A better idea is to escape your value eg

SELECT * FROM articles WHERE title_html = ‘ escape($_GET['title'])’;

where escape() would contain all your data cleansing functions of choice eg addslashes() or mysql_real_escape_string()

]]> By: marchaos http://imgiseverything.co.uk/2005/10/12/creating-people-friendly-urls-using-php-and-mysql/comment-page-1/#comment-58985 marchaos Sat, 19 Jan 2008 15:01:16 +0000 http://imgiseverything.co.uk/2005/10/12/creating-people-friendly-urls-using-php-and-mysql/#comment-58985 $_GET['title'] = '""; drop table articles'; SELECT * FROM articles WHERE title_html = $_GET['title']; nuff said. $_GET['title'] = ‘”"; drop table articles’;

SELECT * FROM articles WHERE title_html = $_GET['title'];

nuff said.

]]>