From: "Dave G" <[EMAIL PROTECTED]>
> I almost exclusively use PHP > to draw from data held within a MySQL database on the same server. I do > not allow users to upload files. I suppose the most that I allow users > to do is input some information like email addresses, user names and > passwords. But it seems to be harmless text that gets stored in the > database. I can't see how it could be manipulated to store and/or > execute a script of any kind. If that text is not properly validated and escaped, you could be open to SQL Injection attacks where the user can submit text that'll be used as a part of your query and not just the column values. Also, when you're redisplaying this user-supplied data, if it is not properly validated and escaped, then you could be open to Cross Site Scripting attacks where you'll basically be letting the user write the content of your page (HTML, JavaScript, etc). I don't know what "Hardened PHP" does to protect against things like this or if it does anything at all. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
