|
D
|
DRCR Dev 3/6/2024 |
|
This is how it's formatted. $waiver_id would need the same rules If INT |
|
|
D
|
DRCR Dev 3/7/2024 |
|
This has been worrying me since I replied. How to sanatise the $tour_identifiant to prevent someone typing into the URL bar and hence injecting into the database. I would probably UUID the $tour_identifiant and use a mysql duplicate key to prevent injection - owner + $tour_identifiant that I store in a seperate table before adding. (if possible) The risks with simplified INT is high. If possible, I'd try and get the $tour_identifiant by another means if possible like a session from the script before. If I couldnt do that, I would use apache rewrite to hide the $tour_identifiant in the URL and show a friendly URL instead. |
|
|
Y
|
Yoann author 3/8/2024 |
|
Actually I put another hidden field in the query $tour_identifiant and I get the value with default value of the field, so the data entered in the URL should be sanithized by phprunner ? Am I wrong ? |
|
|
D
|
DRCR Dev 3/8/2024 |
|
I cant tell from your response exactly. If you have 2 keys and the $tour_identifiant is one the keys and the user cannot manipulate the first key and both keys are locked as a pair in your database, the only thing a user could manipulate is if a $tour_identifiant shared the first key with some other $tour_identifiant. If you have unique first and second keys I cant think of a way to manipulate that. |
|