On 30 January 2004 12:35, jimbo wrote:
> Great - thanks v. much Mike. I don't know why there was no mention of
> eval() in the section of the manual on Variable Parsing.
Possibly because they didn't want to get into the security issues involved.
It sounds like you're ok there, as you only intend putting very controlled
values into the database.
The problem comes if you're potentially eval()-ing user-supplied values that
have been insufficiently validated. Just suppose, for example, that it was
possible for a user to somehow get a value such as 'system("rm
/etc/passwds")' inserted into the database in a field that you then
eval()...
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
