After a couple of years living with magic_quotes_gpc() on, I'm tired of dealing with having to poke in stripslashes and addslashes in various places so I'm turning it off.
Instead I'm using mysql_real_escape_string() to escape input where I can. Doing UPDATE and INSERT are easy - I can run the function on each field before it goes into the db.
The SELECT is giving me a little more trouble. I can secure SELECTs that come via $_POST - the only ones are username and password for login, and a search field (all of which get mysql_real_escape_string() before being processed). Logged-in status is stored in a session, and passwords are not stored in the session.
But what about $GET? Can someone 'get' me via $GET?
The data I'm passing via $_GET is typically either simple word flags or numeric record ids. So at its most complex you'd have something like:
mypage.php?parent_id=3&item_id=4&img_id=5&catalog=true&showimage=true
- that sort of thing. Generally the word flags act as logic directors - do I show the catalog page, or the item page, or the image page? - and the ids tell the script which record to retrieve.
Since this is an object-oriented system, the actual retrieval script would be something like:
$image = &new db_Image;
$image->sql_where = "img_type='catalog' AND img_id=" . $_GET['img_id'];
$result_array = $image->getData();
In the $image object I connect to the db and perform a query, the WHERE clause of which is taken from $this->sql_where.
Seems to me the worst anyone could type in the browser's URL field would be the wrong id, or a word flag that meant nothing to my system. Any kind of delete or reveal or anything like that would simply produce an error - or no output, since error display is off. But could they add to the img_id somehow in the URL field and wreak havoc?
Trying to escape the WHERE clause in a SELECT is tricky in my setup. 'cause there are about a hundred of them scattered about. Which is why I'm asking.
