We are actually running the query through a function that removes single ticks, etc to avoid this, but I didn't think that was relevant to the question so I didn't include it. Thanks, though!
-----Original Message----- From: Peter Lind [mailto:peter.e.l...@gmail.com] Sent: Thursday, September 16, 2010 12:03 PM To: Cheryl Sullivan Cc: a...@ashleysheridan.co.uk; firstname.lastname@example.org Subject: Re: [PHP] Session Vars loaded from MSSQL Query drop, those loaded from MYSQL Query stick On 16 September 2010 16:26, Cheryl Sullivan <csull...@shh.org> wrote: > Absolutely - > > > > This is from the first page > > > > <?php > > $_SESSION['UserLastName'] = strtolower(trim($_POST['txtLastName'])); > > $_SESSION['BadgeID'] = trim($_POST['txtBadgeID']); > > > > //access MS SQL Server database > > $q1 = "select * from emps where emp_last = > '".$_SESSION['UserLastName']."' and emp_badge = > '".$_SESSION['BadgeID']."'"; > > $rs_emp_info = hitMSSQL($q1,"xxxx_sql","database","table","password",1); > > $_SESSION['SSN'] = $rs_emp_info->fields("emp_ssn"); > > $_SESSION['CostCenter'] = $rs_emp_info->fields("emp_costcenter"); > You're sticking values from $_POST into an SQL query without sanitizing them first. That spells out SQL INJECTION VULNERABILITY. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> Notice: This communication, including attachments, may contain information that is confidential and protected. It constitutes non-public information intended to be conveyed only to the designated recipient(s). If you believe that you have received this communication in error, please notify the sender immediately by return e-mail and promptly delete this e-mail, including attachments without reading or saving them in any manner. The unauthorized use, dissemination, distribution, or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. Thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php