[Phpwm] site critique please
David Goodwin
david at codepoets.co.uk
Tue Jan 16 17:51:38 GMT 2007
Dave Holmes wrote:
> Phil,
>
> David just illustrated a symptom of the problem, in a kind non obtrusive
> way.
>
> A more malicious hacker would be tempted to try embedding commands in the
> SQL, in particular commands which could grant user rights and access to
> poorly configured servers.
>
> What David illustrated is you are taking parameters direct from the URL and
> firing them straight at the database, when you should be performing a sanity
> check or clean up.
>
> In addition you should also consider the use of add slashes to negate this
> problem as this would escape the apostrophe and MySQL would treat it as a
> string.
From reading various posts, there are a number of reasons why you
_shouldn't_ use addslashes (or magicquotes).
Use either prepared statements, or the database specific *_escape_string
Thanks
Davi.
--
David Goodwin
[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk ]
More information about the Phpwm
mailing list