Thanks for the pointer to the encoding page, I wanted that recently for
something else and noticed that the current doc (i.e. what I get on my
server in the docs tab) doesn't seem to have it any more. Why did it
disappear?
Oh well, just encoding the variable in the SQL query doesn't actually
work for what I need. The form item is an int, not a string, so the
injection attacks don't need to use the characters that the mysql
encoding encodes, you just need spaces and letters. I guess using an
encoding will get around the prblem with my
<if expr='STRING(INT("&form.id;")) == "&form.id;"'>
example. Using
<if expr='STRING(INT("&form.id:mysql;")) == "&form.id:mysql;"'>
on my test page does seem to let me send all sorts of absurd things in
without causing anything but detected failure to occur. I'll have to
look at that some more to see if I think it'll really handle anything
you throw at it...but I think that's a solution (if somewhat
cumbersome).
Man, security is hard...
-MAP
