Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user input question



Eric C wrote:
> Okay I see what you're saying.  The user can add his
> own queries in $hash and I'll be exacuting their query
> along with mine.  Do they need a space?  I could add
> this to the top of the script:
>
> // Is there a ' ' in $hash?
> if (preg_match("<\s>", $hash) > 0) {
>  echo " <p>That is not a correctly formed hash. 
> <b>Please try again.</b></p>
>      <a href=$linkback>Click here to return to the
> main page.</a>";
>   require(XOOPS_ROOT_PATH.'/footer.php');
>   exit();
> }
>
>
> It will kick 'em out before anything else gets done. 
> What do you think?
>   

Eric,

I think you should:

   1. Create an SQL user with only Select permission, and use that for
      all web-generated queries.
   2. Filter SQL delimiters from all POST data
   3. Log all IP addresses

HTH.

Bill

-- 

E. William Horne
William Warren Consulting
http://www.william-warren.com/
781-784-7287


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org