Jump to content

Php/sql Form Hacking?


MrFish
 Share

Recommended Posts

I was think. Would it be possible to have my website through forms? Like, it there was a text form that when retrieved looked like this$username = $_REQUEST["username"];and the username form was set to something like this-

username"]; Hacking script$asdfsadf = $_REQUEST["adasdad /* This would be to finish it off.*/

Would this be possible?

Edited by MrFish
Link to comment
Share on other sites

If the input text field was named "username", and you input the value -

username"]; Hacking script$asdfsadf = $_REQUEST["adasdad /* This would be to finish it off.*/

when it is handled by-

$username = $_REQUEST["username"];

would it not then become-

$username = $_REQUEST["username"]; Hacking script$asdfsadf = $_REQUEST["adasdad"]; /* This would be to finish it off.*/

Edited by MrFish
Link to comment
Share on other sites

I may be dense, but I still don't know what you're asking. The first block of code is not valid code. This line:username"];doesn't make any sense. Then you just write "Hacking script", which I'm not sure what it's there for, and this line:$asdfsadf = $_REQUEST["adasdad /* This would be to finish it off.*/doesn't end correctly. So none of those lines are valid code, I don't know what you're asking. If you have an input called "username", and you submit the form, depending on whether it was submitted through get or post, you can find the value in $_GET['username'] or $_POST['username'], and you can also find it in $_REQUEST['username']. Beyond that, again I don't know what you're asking.

Link to comment
Share on other sites

The information received from a form is a string. Strings aren't parsed as code, they are left as they are.$_REQUEST['username'] is an associative array.If you print the values of $_REQUEST you'll get something like:

Array ( 'username' => 'username"];Hacking script$asdfsadf = $_REQUEST["adasdad /* This would be to finish it off.*/')
There is no way to hack just by typing PHP script into a form, because the string is never parsed. What you do need to be careful of is sending MySQL queries with user input data. Edited by Ingolme
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...