Home/ Questions/Q 4340244
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T11:19:24+00:00

I’m very new to php/SQL (1 day) so forgive me if I am doing

  • 0

I’m very new to php/SQL (1 day) so forgive me if I am doing this in a backwards way.

This php below is intended to return the 100 most recent entries into the DB. I attempt to do it by selecting 100 entries to be returned and sort by the date(time stamp) the entry was made. Will this return the 100 more recent entries to the DB? Or am I understanding this wrong?

    $type   = isset($_GET['type']) ? $_GET['type'] : "global";
$offset = isset($_GET['offset']) ? $_GET['offset'] : "0";
$count  = isset($_GET['count']) ? $_GET['count'] : "100";
$sort   = isset($_GET['sort']) ? $_GET['sort'] : "date DESC";

// Localize the GET variables
$udid  = isset($_GET['udid']) ? $_GET['udid'] : "";
$name  = isset($_GET['name']) ? $_GET['name']  : "";

// Protect against sql injections
$type   = mysql_real_escape_string($type);
$offset = mysql_real_escape_string($offset);
$count  = mysql_real_escape_string($count);
$sort   = mysql_real_escape_string($sort);
$udid   = mysql_real_escape_string($udid);
$name   = mysql_real_escape_string($name);

// Build the sql query
$sql = "SELECT * FROM $table WHERE ";

switch($type) {
    case "global":
        $sql .= "1 ";
        break;
    case "device":
        $sql .= "udid = '$udid' ";
        break;
    case "name":
        $sql .= "name = '$name' ";
        break;
}

$sql .= "ORDER BY $sort ";
$sql .= "LIMIT $offset,$count ";

$result = mysql_query($sql,$conn);

if(!$result) {
    die("Error retrieving scores " . mysql_error());
}
//echo $result;
$rows = array();
while($row = mysql_fetch_assoc($result)) {
        $rows[] = $row;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This should work, although date is a MySQL keyword, so you would either need to enclose date in backquotes or rename that column.

    Also, definitely make sure you’ve sanitized those inputs before building your query. Building a query off of user-editable values from $_GET or $_POST with no sanitation is very unsafe.

    For WHERE parameters, you should be running mysql_real_escape_string() on those (which I see you are, I’m not sure if you were before or not). That’s enough because you’re wrapping those values in quotes in your query, and since you’re escaping that string, any attempt to break out of those quotes won’t work.

    For the stuff like the ORDER BY you have, I would define a valid “list” of allowed values and check to make sure your parameter is in that list. For example:

    $valid_orderbys = array('`date` DESC', '`date` ASC', '`name` DESC', '`name` ASC');

if (in_array($_GET['sort'], $valid_orderbys))
{
    // you're good, you can use this value
}
else
{
    // unexpected value, either alert the user or 
    // use a default value you define
}

    Or for LIMIT, you could use PHP’s built-in is_numeric() to verify that the value you’re being given is a number, not a crafted string.

    It’s not enough to simply escape the $table, ORDER BY and LIMIT parameters because they’re not wrapped in quotes and therefore someone can just maliciously inject a value of ; DROP TABLE whatever; --. This ends up making your query something like:

    SELECT * FROM ; DROP TABLE whatever; --WHERE ...

    Queries are separated by semicolons, so there are three queries here. The first fails because it’s invalid, the second succeeds in dropping the table, and the third is just a comment so nothing happens. But you can see, if you let users throw whatever they want as one of those parameters, it’s a wide open security hole. (I’m not sure if enclosing the table name in backquotes helps this, someone let me know if you know. But in any case, you can do the same attack on the LIMIT and ORDER BY parameters.)

    • 0