So I dont entirely understand how SQL injection works, or how to protect against it, can someone mind explaining it to me a little better?

Also, I have a website that has the main index.php file, in that file are various if-than-else statements that find out what the $_GET of a variable is. Such as:

index.php?page=news
index.php?page=blog
index.php?page=gallary

then I have:


if ($_GET["page"] == 'news') {
include("news.php");
}


Is this a non-secure way of doing things?

I don't see anything about databases here.

Me neither. SQL stands for Structured Query Language, and is the language used to query databases for information. SQL injection attacks are generally deliberate attempts to pass in bad input to a URL or form POST in order to manipulate the SQL query generated to do something other than intended.

I can go into more detail but there are articles about this you can easily find. The first step in preventing this type of attack is to properly validate and escape input. Make sure input is what you expect -- that a numeric field is actually a number before putting it into a SQL query. Escape strings to prevent use of single quotes to try to inject extra instructions into your query -- PHP provides mysql_real_escape_string() just for this.

If you don't use SQL, don't worry about SQL injection, or XSS.

If you don't use SQL, don't worry about SQL injection, or XSS.

Yep. Instead you should be concerned about code injection ;)

XSS has nothing to do with SQL.

XSS has nothing to do with SQL.
Yeah. Generally, coding the way the OP does is inefficient, since you have to add a bunch of code for no real reason.

So say you do..

$page = 'content/'.$_GET['page'].'.php';
if(file_exists($page)) {
include $page;
} else {
inclyde 'content/home.php';
}

Now, what if someone does ?page=../../../../badfile ? It will include the bad file.

For starters, just check for / or . in your variable, and throw an error if it's found.

SQL is a whole 'nother ballgame.

if ($_GET["page"] == 'news') {
include("news.php");
}


Is this a non-secure way of doing things?
As long as its done this way it isnt dangerous.

Is it even connecting to a DB?

So I dont entirely understand how SQL injection works, or how to protect against it, can someone mind explaining it to me a little better?


http://ca.php.net/manual/en/function.mysql-real-escape-string.php

So say you do..

$page = 'content/'.$_GET['page'].'.php';
if(file_exists($page)) {
include $page;
} else {
inclyde 'content/home.php';
}

Now, what if someone does ?page=../../../../badfile ? It will include the bad file.

For starters, just check for / or . in your variable, and throw an error if it's found.


Yes that is true but that is not what the OP did.

The OP did:
if ($_GET['page'] == "something")
In that case if $_GET['page'] does not match any of the if / else if statments then the user will fall through to the else of drop out of the 'if' statment all together. That does not leave any room for the type of error you described.

Another way of doing that structure is with the 'switch' statment. If is a bit more efficient then the 'if' statment in this situation.

Another way of doing that structure is with the 'switch' statment. If is a bit more efficient then the 'if' statment in this situation.

OR....


$valid_destinations = array('home' => 'index.php', 'products' => 'products.php', 'support' => '/helpdesk/login.php');

$jump_to = $_GET['page'];

if (array_key_exists($jump_to,$valid_destinations))
{
include $valid_destinations[$jump_to];
} else {
include 'default.php'; // or whatever
}


call it like foo.php?page=home