On Tue, Jan 06, 2009 at 08:22:00PM +0100, MoYo wrote: > >> function cleanFilenameDocument($name) > >> > > Yes,I can modify it. > > > > I wan't to know there is what kind of security risk if we don't use this > > function. > > For example,SQL injection attacks is disturbing.How much concern should we > > pay? > > > Hi, > > stripping ' and " of filename may be useful to limit SQL injection > possiblities. > > I am trying to find a complete good solution. >
Hi, It's not sufficient, there are way more methods to inject SQL data. Each database provides a function to escape characters, so in case of MySQL you should use mysql_real_escape_string: http://fr.php.net/mysql_real_escape_string Note that you have to be careful if magic_quotes_gpc is enabled (you have to call stripslashes to avoid double-escaping characters). SQL injections in PHP are described here: http://fr.php.net/manual/en/security.database.sql-injection.php HTH, Pierre _______________________________________________ Glpi-user mailing list [email protected] https://mail.gna.org/listinfo/glpi-user
