[thelist] [Easy as Pie] Working with a Database
Jon Hughes
hughesj at firemtn.com
Fri Jan 18 17:04:00 CST 2008
David,
I certainly appreciate your comments.
I'm not seeing where I am vuln. To XSS, as I am using htmlentities on
the output, but I did in fact forget to escape the input to the database
- http://us.php.net/addslashes is the preferred method, right?
- Jon
> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of David Dorward
> Sent: Friday, January 18, 2008 2:52 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] [Easy as Pie] Working with a Database
>
> On 18 Jan 2008, at 22:25, Jon Hughes wrote:
> > Third article in the series, let me know what you think:
> > http://www.phazm.com/notes/easy-as-pie/easy-as-pie-working-with-
> > database
> > s
>
> I've only briefly skimmed it ... but:
>
> With the combination of your page header, and adverts, I have to
> scroll down two full window lengths before I get to the content.
>
> The code is vulnerable to both SQL Injection and XSS attacks (this,
> by itself, is, in my option, reason enough to remove it from the web
> immediately).
>
> Your HTML form uses XHTML syntax.
>
> Blockquote elements can't directly contain character data in Strict
> variants of (X)HTML.
>
> You use a while loop with a counter where a for loop would probably
> be more appropriate.
>
> The LIMIT clause is a proprietary extension to SQL and probably
> should be avoided.
>
> --
> David Dorward
> http://dorward.me.uk/
> http://blog.dorward.me.uk/
>
>
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
More information about the thelist
mailing list