Also, if you ever need to display those values in any other potentially interpreted format (such as a Web page -- browsers interpret and render HTML), remember to escape them. Even if you are protecting yourself against SQL injection, you might end up vulnerable to XSS/CSRF attacks by displaying unescaped data in a web document.
Ulisses On Wed, 2008-11-12 at 14:03 -0700, Ian Harisay wrote: > The fact that you're using placeholders will prevent an SQL injection attack > from happening. You're good to go. > > -----Original Message----- > From: James H. McCullars [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 12, 2008 1:27 PM > To: [email protected] > Subject: security advice needed > > Hi, we have a special address that our users can forward spam > complaints to, and the number of complaints is exceeding what I can > deal with manually. So I am thinking of automating this process and > populating a database with things like local user, sending IP, > sending relay address, subject, etc for each spam complaint that > comes in. So I need to make sure that if I do something like the standard: > > $sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)"); > > and use the contents of the "Subject:" line as a value, some spammer > couldn't put SQL code in the subject and have it interpreted. Something like: > > Subject: Increase your money; "hello; use mysql; drop table users;" > > or something to that effect. Would someone be able to do this, and > if so, how would I guard against it? Thanks... > > Jim McCullars > University of Alabama in Huntsville > -- Ulisses Reina Montenegro de Albuquerque AB34 A154 28C1 84A8 676E 202F 264B 117F 88BA B1A5 Tempest Security Intelligence [http://www.tempest.com.br/] "In theory, theory and practice are the same. In practice, they are not."
