0

i want to remove hard coded Item_code and put a $whereis variable. but what is the correct syntax to do that? 

$query = "SELECT *
    FROM `stock`
    WHERE Item_code = '{$testingone}' AND size='{$sizurl}'
    ";
Yasitha
  • 901
  • 2
  • 17
  • 42
  • 2
    Everybody loves SQL injection! – tc. Jul 21 '12 at 02:50
  • @tc. If `$testingone` and `$sizurl` are not user-supplied, then there is no vulnerability. – cdhowie Jul 21 '12 at 02:51
  • 3
    To clarify tc's point, Yasitha: a site that incorporates code like yours is potentially vulnerable to [SQL injection](http://en.wikipedia.org/wiki/SQL_injection) attacks, if user data can ever make its way into either of those two variables. It's a serious problem. There are lots of questions on this site discussing ways of avoiding this problem. [Here's one](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php). – Michael Petrotta Jul 21 '12 at 02:54
  • Use [*PDO*](http://php.net/manual/en/book.pdo.php) or [*MySqli*](http://php.net/manual/en/book.mysqli.php) – Nir Alfasi Jul 21 '12 at 03:02
  • Thank you very much guys. you save me... i always used mysql_real_escape_string preg_match so is it still vulnerable to do this ? – Yasitha Jul 21 '12 at 03:05
  • 1
    @cdhowie: It still violates the principle of preserving semantics (it does not need to be user-supplied to contain a '), and I strongly suspect that "Item_code" is user-supplied. Besides, prepared statements are often significantly more efficient. – tc. Jul 21 '12 at 03:08
  • @tc. Of course. I'm not saying that it's a good idea, only that if the variables don't come from user input, it's not a critical security problem that needs to be addressed immediately. – cdhowie Jul 21 '12 at 03:15
  • Wow Great Advices... Thnak you all very much... i will never do that mistake again... in this case item_code is user supplied thing,. but i'm making this web based application not for use in internet. but for use in a small pharmacy so the risk is much lower. any way your advices are very much valuable for me ... Thank you all again.. – Yasitha Jul 21 '12 at 03:28
  • 1
    @cdhowie: If not, then it is probably a critical security problem that will manifest itself a few months later when your "test server" becomes the production server without sufficient code review. Bad practices are always bad practices. – tc. Jul 21 '12 at 03:56

0 Answers0