> Anyway, it's not a big thing if you're _really_ stringent about how you
> check every single variable which is used in a database query,
> system/passthru/exec, or eval command, and your checking methods are
> flawless, but otherwise it's just best to go to the trouble of hacking
> around the in
Basically, use one of the escape functions :)
For instance, looking at this piece of code:
$result = mysql_query("SELECT * FROM table WHERE username='$username' AND
password='$password'");
Now, you have the variables $username and $password to worry about. Now we
ask ourselves, what characters
> Anyway, it's not a big thing if you're _really_ stringent about how you
> check every single variable which is used in a database query,
> system/passthru/exec, or eval command, and your checking methods are
> flawless, but otherwise it's just best to go to the trouble of hacking
> around the in
I saw an article just a few days ago on "Hacking PHPNuke" that was an
excellant example of how the escape GPS thing saved a program from a major
security hole caused by a very minor oversite in less than 0.01% of the
code. Can't remember the name of the site...I think it was linked from
TheRegiste
Hi Mark,
> > It's nice in that it adds to how secure PHP code is, but it can be a
> hassle.
>
> Out of curiousity, what are the security implications? Presumably a
failure
> to validate input properly leading to unintended actions, but I can't
think
> of any examples to help me decide whether to
> It's a feature of PHP that it automatically escapes data submitted in
> PUT/GET/etc.
It didn't seem to be happening with POST which is why I thought it odd, but
that probably means I didn't test properly :-)
> It's nice in that it adds to how secure PHP code is, but it can be a
hassle.
Out of
It's a feature of PHP that it automatically escapes data submitted in
PUT/GET/etc.
It's nice in that it adds to how secure PHP code is, but it can be a hassle.
Not sure if there is a function which removes escape characters will leaving
normal backslashes alone. If you REALLY need to turn it off
7 matches
Mail list logo
