[thelist] PHP help required please
Andrew Forsberg
andrew at thepander.co.nz
Mon Feb 4 13:19:00 CST 2002
> >setcookie("LOGININFO", "$username");
>>
> >$sql = "INSERT INTO '$LOGININFO' (prod_id,prod_name,prod_price) VALUES
>>('1','2','3')";
>
>That's not nearly the best way to things, let alone dealing with the
>cookies. What if two people have the same usernames, or someone wants a
>username that's a reserved word in the databse system?
[...]
>dave'; drop database; insert into 'dave
>
>This would screw up your entire database. Very insecure, to insert stuff for
>SQL right from the client-side...
>
>--Jason
Very scary stuff indeed.
Even storing user names on the client's machine is far from ideal.
You might find, Dave, that if you do choose to use PHP's session
management functions that several of your troubles disappear. These
functions hide some of the complexities of cookie handling from your
program.
--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/
More information about the thelist
mailing list