Comments on: More Elegant Object-Oriented PHP Output of MySQL Data http://articles.akgfx.com/2008/04/more-elegant-object-oriented-php-output-of-mysql-data/ A Compulsively Obsessing Blog Sun, 06 Mar 2011 23:12:40 +0000 hourly 1 http://wordpress.org/?v=3.2 By: john http://articles.akgfx.com/2008/04/more-elegant-object-oriented-php-output-of-mysql-data/comment-page-1/#comment-2381 john Fri, 21 Jan 2011 02:49:10 +0000 http://articles.akgfx.com/?p=5#comment-2381 should be: $id = intval($id); should be:
$id = intval($id);

]]> By: Duppy http://articles.akgfx.com/2008/04/more-elegant-object-oriented-php-output-of-mysql-data/comment-page-1/#comment-1551 Duppy Sun, 07 Nov 2010 13:47:27 +0000 http://articles.akgfx.com/?p=5#comment-1551 $id = mysql_real_escape_string($id); // better make sure it's safe! $query = "SELECT u_username, u_firstName, u_lastName, u_email, u_phone FROM userTable WHERE u_id = $id"; It is not Safe mysql! Try these: ?id=1+AND+1=1 ?id=1+AND+1=2 ?id=1+UNION+ALL+SELECT+1,2,3,4,5 ?id=1+UNION+ALL+SELECT+1,version(),3,4,5 ?id=1+UNION+ALL+SELECT+1,password,3,4,5+from+passwords_table+limit+1 etc... The proper way is : $id = mysql_real_escape_string($id); // better make sure it's safe! $query = "SELECT u_username, u_firstName, u_lastName, u_email, u_phone FROM userTable WHERE u_id = '$id' "; $id = mysql_real_escape_string($id); // better make sure it’s safe!
$query = “SELECT u_username, u_firstName,
u_lastName, u_email, u_phone FROM userTable WHERE u_id = $id”;

It is not Safe mysql!
Try these:
?id=1+AND+1=1
?id=1+AND+1=2
?id=1+UNION+ALL+SELECT+1,2,3,4,5
?id=1+UNION+ALL+SELECT+1,version(),3,4,5
?id=1+UNION+ALL+SELECT+1,password,3,4,5+from+passwords_table+limit+1
etc…

The proper way is :

$id = mysql_real_escape_string($id); // better make sure it’s safe!
$query = “SELECT u_username, u_firstName,
u_lastName, u_email, u_phone FROM userTable WHERE u_id = ‘$id’ “;

]]>