pdo - php pagination security regarding INT -

-

i'm looking update pagination on page pdo. however, want make sure 100% free sql injection etc.

below content of pagination script have found think work without issues. pulling data url i'm bit concerned regarding line:

if (isset($_get["page"])) { $page  = $_get["page"]; } else { $page=1; };

i can see isset there check if variable null (i think) can't see checks if not number.

i thinking of changing to:

if (isset($_get["page"])) { $page  = (int)$_get["page"]; } else { $page=1; };

as think check if page variable number. or should be:

if (isset((int)$_get["page"])) { $page  = $_get["page"]; } else { $page=1; };

or use int on both? think in old mysql have used striptags etc not sure pdo (still learning).

here full code before change mentioned above. 

<?php         include('connect.php');         if (isset($_get["page"])) { $page  = $_get["page"]; } else { $page=1; };         $start_from = ($page-1) * 3;                 $result = $db->prepare("select * members order id asc limit $start_from, 3");         $result->execute();         for($i=0; $row = $result->fetch(); $i++){     ?>     <tr class="record">         <td><?php echo $row['a']; ?></td>         <td><?php echo $row['b']; ?></td>         <td><?php echo $row['c']; ?></td>     </tr>     <?php         }     ?> </tbody> </table> <div id="pagination">     <?php       $result = $db->prepare("select count(id) members");     $result->execute();      $row = $result->fetch();      $total_records = $row[0];      $total_pages = ceil($total_records / 3);       ($i=1; $i<=$total_pages; $i++) {                  echo "<a href='index.php?page=".$i."'";                 if($page==$i)                 {                 echo "id=active";                 }                 echo ">";                 echo "".$i."</a> ";      };      ?>

connect.php contains

$db = new pdo('mysql:host='.$db_host.';dbname='.$db_database, $db_user, $db_pass); $db->setattribute(pdo::attr_errmode, pdo::errmode_exception);

any or guidance appreciated. if can spot else security wise, please let me know.

edits:

added line:

$db->setattribute(pdo::attr_emulate_prepares, false);

to connect.php

any other security tips?

use parameterized queries avoid possibility of injections. using pdo can

  1. pass user provided values execute in array
  2. place question mark placeholder in place of user data
$result = $db->prepare("select * members order id asc limit ?, 3"); $result->execute(array((int)$start_from));

you can bind it, http://php.net/manual/en/pdostatement.bindparam.php (based on doc , other threads, don't bind).

$result = $db->prepare("select * members order id asc limit :start, 3"); $result->bindparam(':start', (int)$start_from, pdo::param_int); $result->execute();

here's longer thread on it, how can prevent sql injection in php?

also php notes on it, http://php.net/manual/en/pdo.prepared-statements.php

for longer sample, if had multiple values coming in:

$result = $db->prepare("select * members username = ? , email = ? order id asc limit ?, 3"); $result->execute(array($_get['name'], $_get['email'], $start_from));

Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

spring - SubProtocolWebSocketHandler - No handlers -

-
i have ugly error during deploying spring app on jboss. 18:11:16,025 error [org.apache.catalina.core.containerbase.[jboss.web].[default-host].[/consumer]] (msc service thread 1-7) exception sending context initialized event listener instance of class org.springframework.web.context.contextloaderlistener: org.springframework.context.applicationcontextexception: failed start bean 'subprotocolwebsockethandler'; nested exception java.lang.illegalargumentexception: no handlers @ org.springframework.context.support.defaultlifecycleprocessor.dostart(defaultlifecycleprocessor.java:176) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor.access$200(defaultlifecycleprocessor.java:51) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor$lifecyclegroup.start(defaultlifecycleprocessor.java:346) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.s...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more