 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Eric C wrote:
> Okay I see what you're saying. The user can add his
> own queries in $hash and I'll be exacuting their query
> along with mine. Do they need a space? I could add
> this to the top of the script:
>
> // Is there a ' ' in $hash?
> if (preg_match("<\s>", $hash) > 0) {
> echo " <p>That is not a correctly formed hash.
> <b>Please try again.</b></p>
> <a href=$linkback>Click here to return to the
> main page.</a>";
> require(XOOPS_ROOT_PATH.'/footer.php');
> exit();
> }
>
>
> It will kick 'em out before anything else gets done.
> What do you think?
>
Eric,
I think you should:
1. Create an SQL user with only Select permission, and use that for
all web-generated queries.
2. Filter SQL delimiters from all POST data
3. Log all IP addresses
HTH.
Bill
--
E. William Horne
William Warren Consulting
http://www.william-warren.com/
781-784-7287
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
