user input question
Bill Horne
bill at horne.net
Tue Apr 3 15:34:44 EDT 2007
Eric C wrote:
> Okay I see what you're saying. The user can add his
> own queries in $hash and I'll be exacuting their query
> along with mine. Do they need a space? I could add
> this to the top of the script:
>
> // Is there a ' ' in $hash?
> if (preg_match("<\s>", $hash) > 0) {
> echo " <p>That is not a correctly formed hash.
> <b>Please try again.</b></p>
> <a href=$linkback>Click here to return to the
> main page.</a>";
> require(XOOPS_ROOT_PATH.'/footer.php');
> exit();
> }
>
>
> It will kick 'em out before anything else gets done.
> What do you think?
>
Eric,
I think you should:
1. Create an SQL user with only Select permission, and use that for
all web-generated queries.
2. Filter SQL delimiters from all POST data
3. Log all IP addresses
HTH.
Bill
--
E. William Horne
William Warren Consulting
http://www.william-warren.com/
781-784-7287
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list