<p dir="ltr"><br>
On 16 Jul 2013 01:06, "Wayne Morris" <<a href="mailto:waynelists@machx.co.uk">waynelists@machx.co.uk</a>> wrote:<br>
>users have absolutely no opportunity to enter write ANY data to the database (apart from in a remarks column which IS escaped) - all other interaction with the database is by radio buttons, timestamps being entered<br>
> into fields automatically etc. </p>
<p dir="ltr">While you'll maybe be safe simply because you don't have enough users (but remember, it only takes one attack from one malicious user, no matter how few you have total or how soon their access is revoked), I wouldn't be so sure. The HTML output suggests this is done via forms on a page, and check boxes/dropdowns/etc. are submitted as their value. This means if someone edits the page, or simply sends a false request, the values you receive may *not* be expected values.</p>
<p dir="ltr">Basically: never trust *anything* sent via an HTML form unless you've checked it and/or sanitized it already.</p>