[thelist] PHP tip
Rob Whitener
rwhitener at DesignOptions.com
Tue Feb 4 13:04:00 CST 2003
I do hide all of my database connection information in an include file.
Users don't have to know the name of the database, they just connect. This
is probably not in any way shape or form secure, but how do you get around
it? force logons for everything? Taking information right from $_POST may
not be the best way to do it, but I do believe that proofing on the client
side would make this a valid way to insert information into the database.
In the case of empty strings, I can also proof on the client side by
inserting NULL into a field before it is submitted.
Rob
-----Original Message-----
From: Andrew Maynes [mailto:andrew at humanbehaviour.co.uk]
Sent: Tuesday, February 04, 2003 1:59 PM
To: thelist at lists.evolt.org
Subject: RE: [thelist] PHP tip
how would someone know what the DB name is? A commeand like this would need
a
yes or a no respinse where would that be displayed if such a malicious piece
of
code was inserted into where? The browser?
>"trevor'; drop database <whatever your databaseName is>" into a form
>field, and because you haven't checked this value (ie: used
>strip_tags() or addslashes() just for *starters*) a malicious piece of
>sql could be executed and screw your database.
>
--
* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !
More information about the thelist
mailing list