1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to make this safe or select safe

Discussion in 'PHP' started by tasos55, May 16, 2013.

  1. #1
    Hello all, i want to know if this is safe, or how can i make this safe if not i am just a begginer at php.
    $id (is the pagination)
    $per_page (is how many i want to show)
    $construct (is table from where i want to select)
    Thanks.
    PHP:
    1. $getquery = mysql_query("SELECT * FROM `videos` WHERE $construct ORDER BY date DESC  LIMIT $id, $per_page");

    tasos55, May 16, 2013 IP
  2. nico_swd

    nico_swd Prominent Member

    Messages:
    4,119
    Likes Received:
    331
    Best Answers:
    17
    Trophy Points:
    325
    #2
    Unfortunately, the code you've provided is not enough in order to tell whether it's safe or not. Where do the variables come from? What do they contain? Are they user defined?

    What I can tell you for sure, is that your code is very old and out-dated. The mysql_* functions are deprecated and should be avoided at all cost. You should switch to a newer, safer, and faster library such as PDO.

    Take a look at this to get started:
    http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
    nico_swd, May 16, 2013 IP
  3. tasos55

    tasos55 Peon

    Messages:
    24
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    Thanks for the PDO i will try to do it that way, but i have already allot of pages for this website.
    I would like to keep this script, do i need to post more code of my script to get help with it ?.
    tasos55, May 16, 2013 IP
  4. nico_swd

    nico_swd Prominent Member

    Messages:
    4,119
    Likes Received:
    331
    Best Answers:
    17
    Trophy Points:
    325
    #4
    Yes. Post the part where the variables are defined.
    nico_swd, May 16, 2013 IP
  5. tasos55

    tasos55 Peon

    Messages:
    24
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #5
    I post the complete script is bether i think.
    Here below is the first part.
    PHP:
    1. <?php
    2. $button = $_GET ['submit'];
    3. $search = $_GET ['search'];
    4. echo " ";
    5.  
    6. include 'extern/connectsearch.php';
    7. $search_exploded = explode (" ", $search);
    8. foreach($search_exploded as $funny)
    9. {
    10. $x++;
    11. if($x==1)
    12. $construct .="title LIKE '%Funny%'";
    13. else
    14. $construct .="AND title LIKE '%Funny%'";
    15.                    
    16. $constructs ="SELECT * FROM videos WHERE $construct";
    17. $run = mysql_query($constructs);
    18.  
    19. $foundnum = mysql_num_rows($run);
    20.  
    21. if ($foundnum==0)
    22.                
    23. echo "Sorry, there are no matching result for <b>$search</b>.</br></br>1. ";
    24.  
    25. $per_page = 36;
    26. $id = ($_GET['id']);
    27. $max_pages = ceil($foundnum / $per_page);
    28. if(!$id)
    29. $id=0;                        
    30. $getquery = mysql_query("SELECT * FROM videos WHERE $construct ORDER BY date DESC LIMIT $id, $per_page");
    31.            
    32. $thumbs = $runrows ['thumbs'];
    33. $title = $runrows ['title'];
    34. $channel = $runrows ['channel'];
    35. $url = $runrows ['url'];
    36. $duration = $runrows ['duration'];
    37.  
    38. while($runrows = mysql_fetch_assoc($getquery))
    39. {
    40. echo ' ';
    41.  
    42. }
    43. echo "<center>";
    44.  
    45.   ?>
    And here below is the pagination
    PHP:
    1. <?php
    2. //Pagination ids
    3. echo "<center>";
    4. $prev = $id - $per_page;
    5. $next = $id + $per_page;
    6.                      
    7. $adjacents = 5;
    8. $last = $max_pages - 1;
    9.  
    10. if($max_pages > 1)
    11. {
    12.  
    13. //previous button
    14. if (!($id<=0))
    15. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$prev'>Prev</a> </div>";  
    16.          
    17. //pages
    18. if ($max_pages < 7 + ($adjacents * 2))  //not enough pages to bother breaking it up
    19. {
    20. $i = 0;
    21. for ($counter = 1; $counter <= $max_pages; $counter++)
    22. {
    23. if ($i == $id){
    24. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div> ";
    25. }
    26. else {
    27. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> ";
    28. }
    29. $i = $i + $per_page;              
    30. }
    31. }
    32. elseif($max_pages > 5 + ($adjacents * 2))    //enough pages to hide some
    33. {
    34. //close to beginning; only hide later pages
    35. if(($id/$per_page) < 1 + ($adjacents * 2))      
    36. {
    37. $i = 0;
    38. for ($counter = 1; $counter < 4 + ($adjacents * 2); $counter++)
    39. {
    40. if ($i == $id){
    41. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div> ";
    42. }
    43. else {
    44. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> ";
    45. }
    46. $i = $i + $per_page;                                    
    47. }
    48.                          
    49. }
    50. //in middle; hide some front and some back
    51. elseif($max_pages - ($adjacents * 2) > ($id / $per_page) && ($id / $per_page) > ($adjacents * 2))
    52. {
    53. echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=0'>1</a></div> ";
    54. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$per_id'>2</a> ....</div> ";
    55.  
    56. $i = $id;              
    57. for ($counter = ($id/$per_page)+1; $counter < ($id / $per_page) + $adjacents + 2; $counter++)
    58. {
    59. if ($i == $id){
    60. echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div>";
    61. }
    62. else {
    63. echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> ";
    64. }
    65. $i = $i + $per_page;              
    66. }
    67.                                  
    68. }
    69. //close to end; only hide early pages
    70. else
    71. {
    72. echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=0'>1</a></div> ";
    73. echo " <div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$per_id'>2</a> ....</div> ";
    74.  
    75. $i = $id;              
    76. for ($counter = ($id / $per_page) + 1; $counter <= $max_pages; $counter++)
    77. {
    78. if ($i == $id){
    79. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$i'><font color=orange><b>$counter</b></font></a></div>";
    80. }
    81. else {
    82. echo " <div class='paginate'><a href='funny.php?search=$search&submit=search&id=$i'>$counter</a></div> ";
    83. }
    84. $i = $i + $per_page;            
    85. }
    86. }
    87. }
    88.          
    89. //next button
    90. if (!($id >=$foundnum-$per_page))
    91. echo "<div class='paginate'> <a href='funny.php?search=$search&submit=search&id=$next'>Next</a></div> ";  
    92. }
    93. echo "</center>";
    94. }
    95.  
    96. ?>
    tasos55, May 16, 2013 IP
  6. sarahk

    sarahk iTamer Staff

    Messages:
    17,409
    Likes Received:
    1,740
    Best Answers:
    37
    Trophy Points:
    510
    #6
    Anything that comes to you from a $_GET or $_POST needs to be cleaned.

    Run it through the steps suggested in the PDO or get a decent database handler class from somewhere that already has all the good stuff built in. Security is too important - don't feel like it's cheating to use a handler, or like your script doesn't need to be that complicated. If you have a form on your page it will get found and you do run a risk. Hackers don't apply a whole lot of logic about the value of the information they can steal or the impact of their actions.
    sarahk, May 16, 2013 IP