Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user input question

Eric C wrote:
> Okay I see what you're saying.  The user can add his
> own queries in $hash and I'll be exacuting their query
> along with mine.  Do they need a space?  I could add
> this to the top of the script:
> // Is there a ' ' in $hash?
> if (preg_match("<\s>", $hash) > 0) {
>  echo " <p>That is not a correctly formed hash. 
> <b>Please try again.</b></p>
>      <a href=$linkback>Click here to return to the
> main page.</a>";
>   require(XOOPS_ROOT_PATH.'/footer.php');
>   exit();
> }
> It will kick 'em out before anything else gets done. 
> What do you think?


I think you should:

   1. Create an SQL user with only Select permission, and use that for
      all web-generated queries.
   2. Filter SQL delimiters from all POST data
   3. Log all IP addresses




E. William Horne
William Warren Consulting

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /