require_once('include/conn.php');
conectarse();
$restaurante = $_GET["restaurante"];
if ($restaurante<>0){
$cons = "delete from servicios_x_restaurante where restaurante = $restaurante";
mysql_query($cons,$conn) or die(mysql_error());
}
$consco = "select * from servicios where estado = 1";
$rco=mysql_query($consco, $conn);
while($rsco=mysql_fetch_array($rco)){
if(isset($_POST["servicio".$rs["codigo"]]))$servicio = $_POST["servicio".$rs["codigo"]];
if($servicio ==1){
$consins = "insert into servicios_x_restaurante (servicio, restaurante) values ('$servicio', '$restaurante')";
mysql_query($consins,$conn) or die(mysql_error());
}
}
header ("location: servicios_x_restaurante.php?restaurante=".$restaurante);
?>
WHERE'S THE FUCKING ERROR?!!??!?!!?
jueves, 21 de junio de 2007
FUCKING ERROR!
Suscribirse a:
Comentarios de la entrada (Atom)
10 comentarios:
Puedo seguir cagandome de la risa, o mostrarselo a mi novia...
Elijo seguir cagandome de la risa.
Here's a hint. It's not your error (eh, could be the fact that conectarse isn't a valid PHP command unless you happen to have mapped it to a function somewhere else, PHP no speak spanish).
This is a major problem:
$restaurante = $_GET["restaurante"];
if ($restaurante<>0){
$cons = "delete from servicios_x_restaurante where restaurante = $restaurante";
mysql_query($cons,$conn) or die(mysql_error());
}
Why? MySQL injection.
You're using GET, which can be fiddled with because hey, it passes this stuff in plaintext anyway, so someone can mess with your data and pwn your databases by just changing the URL.
And you don't even check for SQL injection, strip slashes, or anything--you just delete the entry.
What if $restaurante was made to be *? What would happen to your data?
...Not-so-hypothetical question. ^_^
'm guessing you are Jo, Hi, wazzup ^^
I don't want to turn this into a php forum... but what the heck...
the thing is I'm working offline, so no one can mess with my database.
And restaurante can't be anything that's not numerical, because it is sent through another php, and is setted as an integer from the database.
BTW I have already corrected the error, and it wan't on this code, it was on the previous page =D
para los que no entendieron lo que dije ahi arriba, le estaba contando que el raton perez es un violador de menores.
pedobear's seal of approval
Yep, it's me. Looks like some fun work you've got to do. ^_^
And it's good you fixed the error, but I will have to say though that regardless of whether it's been settled as an integer, using GET to transfer the value is an insecure method anyway.
GET, if I'm not mistaken, does the following to your url:
http://blahblah.com/script.php?restaurante=#
Where # is the value it picks up. So if this page was presented to the user, what's stopping them from URL-hacking and going
.../script.php?restaurante=*
and thus calling your script with a value that you hadn't previously settled in your other script? If you're sending that code to this page after prefiltering it, why not use POST instead? That way people can't mess with it. Or just check via regular expressions that you are actually getting numbers like you expect to...
Not a big deal if the public never sees the URL, but at that point, why not just use POST?
"because it is sent through another php, and is setted as an integer from the database."
Same with, say, GameFAQs and their topics and whatnot... The values passed through their URLs are settled to numbers, but you can still change them after they've been sent by _GET to give you the topic, getting you to other topics or error pages accordingly...
Whatever though, all in all it's good you fixed the error. ^_^
(If the original spanish text was as funny as babelfish made it.. XD. Otherwise, XD anyway, lol.)
the thing about security... I have that covered ^^
if you are not logged in as an admin, and you try to url hack into any section, I have a little function that automatically kicks you to the log in section =D
man... it's fun to discuss programming... I don't know whether to feel good or bad... I'm confused =s
hay que tener muy cuidadoso con eso. en php es muy facil escribir codigo no seguro.
fijate si no hay librerias que solucionen el problema de que metan codigo sql en medio de tu consulta. O sea, en lugar de armar tu string directamente, le pasas los valores. deberia existir, buscala.
yo estoy completamente de acuerdo con todo lo que se dijo previamente.
What if they are logged in as admin and then URL hack?
All I'm saying is that if you're using GET, insecure for above mentioned reasons, to transfer a value that you use in a MySQL query without again further verifying with a preg_match or something that it's actually what you asked for, you're trusting your user perhaps a bit too much. Who's to say I can't sit down on a comp someone left open with admin access and destroy your data? Or gain admin access through social engineering or an exploit? Although that admin function is pretty spiffy, and good security.
Discussing programming is fun, and it's a good thing. (Sorry I'm such a nut when it comes to secure code, lol.) ^_^
well... you kinda have a point there... my code is not idiot proof... maybe it should be, considering how people are, and the fact that my mexican client is not the sharpest knife in the knife...holding... thingy...
the thing is I usually use POST for form values, and GET for categories and/or other variables I need to carry through serveral different pages...
and yes, indeed, discussing programming IS fun ^^
I don't see how can you protect the stuff if the user has admin access.
If the user has the ability to delete rows, and leaves his computer open, well... then, all the rows are going to be deleted, no exceptions.
I insist that a real security measure in that code is to not code the query string that way. you should have a function something like,
secureprint("delete from servicios_x_restaurante where restaurante = %i", $restaurante)
this secureprint would replace "%i" with an integer. If $restaurante was something like "*" or some code, it would raise an error.
this secureprint should also need something like "%s", to put a string with scaping.
I'm pretty sure this function already exists on php, or should exist. Another solution in php, for what I've seen, is to use magicquotes, but they seem like an horrible solution.
-nicolas
-nicolas
Publicar un comentario