[Phpwm] site critique please
Greg Jones
greg.jones at gmail.com
Tue Jan 16 18:34:17 GMT 2007
>
> In this case, anything I put into ident= on the URL will be passed to
> MySQL. I could therefore do something like :
>
> http://foo.bar/whatever.php?ident=12';DROP DATABASE;'
>
> That would then get executed as 'DROP DATABASE' within MySQL... hence
> it's a problem.
>
I agree entirely with the idea of always using *_escape_string or prepared
statements, but mysql_query will only let you pass one statement at a time
to it, so your example wouldn't work (pg_query doesn't have the same
limitation/feature, and neither does the underlying C call, so I wouldn't
necessarily rely on it always being there for mysql...).
While we're on the topic, running $_GET['short'] through htmlentities (on
your feedback page) is also a good idea to prevent cross-site scripting.
Other than that, the site's not particularly functional without javascript
(the enlarged images could very easily degrade to opening a new window
with target="_blank") and the site requires horizontal scrolling at
1024x768. As a guide, the Senokian site has around 45% of it's visitors at
that resolution (another 5% even smaller) so ignoring them probably isn't
sensible.
Greg
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
More information about the Phpwm
mailing list