On Thu, Jun 08, 2006 at 11:42:09AM -0400, Chris Morgan wrote: > Can you come up with a non-destructive working example for the appdb > website(appdb.winehq.org)? ;-)
no ;P > I ask because I thought we went through this some time ago but I agree > that what you say looks like an open issue. if the magic quote thingy is turned on, then my code below wont do any harm (as the ' from the user input is turned into \'). well but there are other ways to inject code (e.g. encode the ' in some other way). at least a intval($_REQUEST['appId']) would be step in the right direction. > > > appId='"$_REQUEST['appId']."';"; > > with appId="' or 1=1;'"? -- cu
pgpMfbLagUSXU.pgp
Description: PGP signature
