<div dir="ltr">Hi Wayne<br><div><div class="gmail_extra"><br></div><div class="gmail_extra">I'm deeply concerned by your poor attitude to security, there is no excuse for building applications which are vulnerable to both SQL Injection and Cross-Site Scripting vulnerabilities like your code sample is. Remember, that under the Data Protection Act, a business has a responsibility to look after the data it is storing.<br>
<br></div><div class="gmail_extra">Using the code sample in a production system, in my view is being professionally negligent. Esd pecially given community members have pointed out the issues.<br><br></div><div class="gmail_extra">
In general terms, whenever data traverses a trust boundary it must be validated. For web applications, data must be validated for every single request. You cannot use a request parameter without first validating it. Never trust your users, they might not act maliciously, but they will act foolishly, never trust data they input.<br>
<br></div><div class="gmail_extra">1) You should never concatenate data into SQL queries without escaping it, its one function call. Preferably use prepared statements.<br><br> $queryz = "SELECT * FROM property WHERE postcode like '%$postcodevoid%' and let = '1'";<br>
<br></div><div class="gmail_extra">If $postcodevoid where to be something like: <br><br> '; DROP TABLE property; --<br></div><div class="gmail_extra">
<br></div><div class="gmail_extra">Your going to have a bad day.<br><br><br></div><div class="gmail_extra">2) You should never output data in HTML without HTML escaping it.<br><br> print("<TD width=10% wrap style=\"wrap: 1 solid #800000\">".$rowz["address1"]. " </td> ". " ");<br>
<br></div><div class="gmail_extra">If $rowz["address1"] where to be something like:<br><br></div><div class="gmail_extra"> <script>window.location='<a href="http://mybadsite.com/">http://mybadsite.com/</a>'</script><br>
<br></div><div class="gmail_extra">Your going to have a bad day.<br></div><div class="gmail_extra"><br><br></div><div class="gmail_extra">I'll leave you with: <a href="http://xkcd.com/327/">http://xkcd.com/327/</a><br>
</div><div class="gmail_extra"><br><br></div><div class="gmail_extra">Regards,<br></div><div class="gmail_extra">Chris Ellis<br></div></div></div>