1

I can not pass the value of a variable from page request.php to page response.php that contains a MD5 encrypted value stored in a field in the mysql database for deleting a record.

Request.php page:

  1. Through query I extract the value stored in MD5: cod_idcrypt.
  2. The value of the field cod_idcrypt is recovered and set in the link:

<a href="response.php?crypt=<?php echo $cod_idcrypt; ?>" onclick="return confirm('Vuoi eliminare il valore?');">Cancella record</a>

Response.php page:

include("connect.php"); 
$cod_idcrypt =$_REQUEST['crypt'];
$sql="DELETE FROM tbl_product WHERE cod_idcrypt=".$cod_idcrypt;
$result=mysql_query($sql);

The records identified by cod_idcrypt is written correctly because I verified that the id primary key cod_id, is equal to the value written in cod_idcrypt function MD5.

select md5(123) as cod_id, '202cb962ac59075b964b07152d234b70' from dual;

Checks that I made: a) The delete function properly if made on db with the encrypted value b) The problem described above does not arise if you use the primary key instead of the id encrypted

I would use the encrypted value to avoid showing the url id real.

How can I fix?

Thank you

Frankie
  • 490
  • 8
  • 23
  • Session? AJAX? Just a couple of ideas. Also, don't use mysql_* functions as they are deprecated. Use MySQLi or PDO – Andy Holmes Aug 08 '15 at 11:58
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Aug 08 '15 at 12:02
  • 1
    MD5 is a hash function, not encryption. – Phil Aug 08 '15 at 12:03
  • 2
    Wow. This is SQL injection paradise. – david8 Aug 08 '15 at 12:11
  • 3
    Trying `bobby-tables.php?crypt=1%20OR%201=1` - will delete all your products. As your boss will say, "I hope you're happy", and you can reply, "Well, we've learned to sanitise our database inputs". [Linky](http://bobby-tables.com/). – halfer Aug 08 '15 at 12:54

1 Answers1

1

Your MD5 string will be a string and not an integer, therefore you have to quote that $cod_idcrypt variable in your query.

$sql="DELETE FROM tbl_product WHERE cod_idcrypt='$cod_idcrypt'";
$result=mysql_query($sql) or die(mysql_error());
  • Sidenote: Remember and take note that the above query will delete ALL keys with the same value. If you want to delete only keys related to a certain ID, then add an additional clause to it. I.e.: AND id=5 for example.

MD5(123) will produce the following string (and not an integer).

  • 202cb962ac59075b964b07152d234b70

You may have thought that the 123 integer in your column (if that is the case here) would also be one in your query or treated as an integer, but it's not. It is being MD5'd, in turn being rendered as a string.

  • Sidenote: The column holding the MD5 strings should be VARCHAR and long enough to store the full length of it. VARCHAR(40) is a safe bet.

Having checked for errors on the query would have signaled the syntax error.

As stated in comments, your code is open to SQL injection and using a deprecated MySQL library.

Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

  • Pay attention to the comments left under your question.
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141