[Phpwm] site critique please

Greg Jones greg.jones at gmail.com
Tue Jan 16 18:34:17 GMT 2007


>
> In this case, anything I put into ident= on the URL will be passed to  
> MySQL. I could therefore do something like :
>
> http://foo.bar/whatever.php?ident=12';DROP DATABASE;'
>
> That would then get executed as 'DROP DATABASE' within MySQL... hence  
> it's a problem.
>


I agree entirely with the idea of always using *_escape_string or prepared  
statements, but mysql_query will only let you pass one statement at a time  
to it, so your example wouldn't work (pg_query doesn't have the same  
limitation/feature, and neither does the underlying C call, so I wouldn't  
necessarily rely on it always being there for mysql...).


While we're on the topic, running $_GET['short'] through htmlentities (on  
your feedback page) is also a good idea to prevent cross-site scripting.

Other than that, the site's not particularly functional without javascript  
(the enlarged images could very easily degrade to opening a new window  
with target="_blank") and the site requires horizontal scrolling at  
1024x768. As a guide, the Senokian site has around 45% of it's visitors at  
that resolution (another 5% even smaller) so ignoring them probably isn't  
sensible.

Greg

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/



More information about the Phpwm mailing list