5a.5. What's wrong with the PHP script?Let's take a look at lookupCustomer.php, and see where we might be able to make some improvements. It's OK if you're not familiar with PHP... just get a basic idea of what's going on, so you can tell your PHP guys what to watch out for. <?php // Connect to database $conn = @mysql_connect("mysql.headfirstlabs.com", "secret", "really-secret"); if (!$conn) die("Error connecting to MySQL: " . mysql_error()); if (!mysql_select_db("headfirst", $conn)) die("Error selecting Head First database: " . mysql_error()); Even though we get rid of some of the phone number formatting, like (, ), and -, there's still a problem......we're not doing anything to protect against the characters that are in SQL injection attacks, like those single quotes... $phone = preg_replace("/[\. \(\)\-]/", "", $_REQUEST['phone']); $select = 'SELECT *'; $from = ' FROM hraj_breakneck'; $where = ' WHERE phone = \'' . $phone . '\''; ...and the potentially dangerous string still gets inserted into the SQL query. $queryResult = @mysql_query($select . $from . $where); if (!$queryResult) die('Error retrieving customer from the database.'); while ($row = mysql_fetch_array($queryResult)) { Here's another potential problem. The script loops through all the results it gets, and displays each one... ...but the script should never return more than one customer. We'll need to fix this. echo $row['name'] . "\n" . $row['street1'] . "\n" . $row['city'] . ", " . $row['state'] . " " . $row['zipCode']; } mysql_close($conn); ?> lookupCustomer.php Remember this script from Chapter 2? It's the PHP script that getCustomerInfo() makes a request to. |