In Need Of PHP Help Please

5 replies
Hello,

I have a URL I'm trying to pull the ID and memberid from.

ezcapturepage.com/custom.php?id=17&thememberid=snotb4ll

I'm trying to pass the information over to this page.

ezcapturepage.com/otopage.php

I have the memberid working fine using a session I just cannot get the ID in the URL to also pull in so I can include it in a link on the otopage.

Here is the code I have so far.

PHP Code:
<?PHP

session_start
();

$thememberid $_SESSION['thememberid'];

$pageid $_SESSION['pageid'];

include 
"config.php";

$getpaypal mysql_query("SELECT paypal_email FROM members WHERE userid='$thememberid'");

$getpaypalresult mysql_fetch_array($getpaypal);

$commissionpaypalemail $getpaypalresult["paypal_email"];

if(
$commissionpaypalemail==""$commissionpaypalemail="snotb4ll@yahoo.com";

$getpageid mysql_query("SELECT * FROM custompages WHERE id='$pageid'");

$getpageidresult mysql_fetch_array($getpageid);

$thepageid $getpageidresult["id"];


?>
#php
  • Profile picture of the author peteJ
    If you're trying to get a variable from the URL you need to use $_GET[] to access it.
    {{ DiscussionBoard.errors[9058771].message }}
  • Profile picture of the author RuiGomes
    You need to change:

    Code:
    $thememberid = $_SESSION['thememberid'];
    
    $pageid = $_SESSION['pageid'];
    to

    Code:
    $thememberid = mysql_real_escape_string($_GET['thememberid']);
    
    $pageid = mysql_real_escape_string$_SESSION['id']);
    Also be aware that since you're using plain old mysql_query, your website will be vulnerable to SQL injection. The mysql_real_escape_string function I added will prevent this, but you should look into prepared statements.
    {{ DiscussionBoard.errors[9060281].message }}
  • Profile picture of the author burton247
    As RuiGomes said you need to escape your parameters. Just look up SQL injection on wikipedia if you want to learn more (which I strongly advise you to). But for completeness you could end up with:

    $pageid = " 1';drop table custompages' "
    SELECT * FROM custompages WHERE id=1';drop table custompages';

    Whoops, your table has just been deleted. Of course SQL injection isn't limited to deleting tables.

    Further to reiterating RuiGomes's point I'd also like to add the importance of keeping the single quotes in the query. The query will execute fine without them but you'll still be open to SQL injection in another form.

    This is safe:
    PHP Code:
    $pageid mysql_real_escape_string$_SESSION['id']);
    $getpageid mysql_query("SELECT * FROM custompages WHERE id='$pageid'"); 
    This will work but isn't:
    PHP Code:
    $pageid mysql_real_escape_string$_SESSION['id']);
    $getpageid mysql_query("SELECT * FROM custompages WHERE id=$pageid"); 
    If I inject "1 OR 1 = 1" into your query string then you'll end up with:
    SELECT * FROM custompages WHERE id=1 OR 1=1

    Given the use of the query this is somewhat pointless, but if you were trying to verify a users username and password it would allow anything though. Not good.

    So yeah, whenever grabbing *anything* from a user (GET or POST) always use mysql_real_escape_string() but also remember that this alone is not necessarily enough.
    {{ DiscussionBoard.errors[9061668].message }}
  • Profile picture of the author lluporini
    As burton247 says it's pretty important you take into account the point about SQL injection.

    Another alternative would be to use prepared statements for that.

    Look at the php docs for it:

    PHP: Prepared Statements - Manual

    Hope it helps.

    Best,
    Luis
    {{ DiscussionBoard.errors[9062028].message }}
  • Profile picture of the author jamesc1985
    First of all i would use $_POST Its more secure. the way you have it now someone could easily get the contents of your database.

    Secondly I think you usu PDO (PHP Data Objects) for accessing the database. PDO has bind functionality and prepared statements for extra security.

    You need to rewrite this code as its is very vulnerable.
    {{ DiscussionBoard.errors[9065715].message }}

Trending Topics