[thelist] PHP tip
Andrew Maynes
andrew at humanbehaviour.co.uk
Tue Feb 4 12:54:00 CST 2003
how would someone know what the DB name is? A commeand like this would need a
yes or a no respinse where would that be displayed if such a malicious piece of
code was inserted into where? The browser?
>"trevor'; drop database <whatever your databaseName is>" into a form
>field, and because you haven't checked this value (ie: used
>strip_tags() or addslashes() just for *starters*) a malicious piece of
>sql could be executed and screw your database.
>
More information about the thelist
mailing list