I am quite inexperienced with using php and javascript etc. but for my website I need to send mysql querys to a php page that will appear in a frame on the same page. I know that hackers have so many ways to access the database with sql injection that with my inexperience I'm going to leave it wide open. So I was thinking that instead of sending anything with post and get, I could save the query into a text file and then load the text file into the php script in the frame. This seems more secure to me, but I expect I'm going to hear otherwise. If that's not secure, then what is the best way to send 1 very long database query from one page to another?
Asked
Active
Viewed 50 times
1
-
2*"I need to send mysql querys to a php"* - Well, if your use case is that users are providing SQL queries for you to execute then SQL injection is kind of a moot point. You're literally asking the user what SQL code to execute. Unless that's not your use case? If not, why do you need to "send queries" to a page? – David Dec 24 '19 at 12:45
-
Word of advice - "Don't use PHP" – roshnet Dec 24 '19 at 13:38
-
It is for a search filter, the user uses + and - buttons to filter search criteria and there is a lot to filter from. Then the query is built from the filters with javascript to use on an existing database. I want the page in the frame to update as soon as a filter is added or removed. – percy Dec 25 '19 at 11:06
-
The users are just clicking links and then the post and get method selects from the database. Like they click a link, eg round, and the word round is sent in the post, then the word round is used in the sql query. The user isn't filling out any forms or anything but I thought they would be able to edit the URL and inject things that way, like change the word "round" to "drop table" or something. But if the URL was just saved to a text file then there would be no way for them to even try? – percy Jan 18 '20 at 11:00