Previous post does not address how to avoid making this kind of security hole.
Anyway, if anyone want to avoid creating security hole like this. Do not
stripslashes() added by magic_quote. If you use stripslashes(), use addslashes()
again. If you do not use magic_quote, use addslashes() before
As long as you don't need to ever store a forward slash :)
Beyond that, nope. stripslash() away.
--
Plutarck
Should be working on something...
...but forgot what it was.
""Noah Spitzer-Williams"" [EMAIL PROTECTED] wrote in message
9bf7ec$m1m$[EMAIL PROTECTED]">news:9bf7ec$m1m$[EMAIL
If you strip slashes, it will make a security hole.
For example,
SELECT * FROM tablename WHERE name = '$name';
what if $name is
\'garbage\';DROP TABLE tablename;SELECT \'something
After stripslashes($name)
SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
'something';
Yasuo, I didn't quite follow this. What are those special characters below
in your $name example?
TIA
Kirk
-Original Message-
If you strip slashes, it will make a security hole.
For example,
SELECT * FROM tablename WHERE name = '$name';
what if $name is
\'garbage\';DROP TABLE
Jesus that's pretty scary! So how should i go about doing this?
""Yasuo Ohgaki"" [EMAIL PROTECTED] wrote in message
9bflce$9p5$[EMAIL PROTECTED]">news:9bflce$9p5$[EMAIL PROTECTED]...
If you strip slashes, it will make a security hole.
For example,
SELECT * FROM tablename WHERE name =
So sprach Noah Spitzer-Williams am Mon, Apr 16, 2001 at 12:45:43PM -0400:
would there be any problems caused if i used the stripslashes() function on
all posted variables from a form to eliminate sql query errors?
Uhm, why stripslashes() the values? Wouldn't it be better to addslashes()
the
If you strip slashes, it will make a security hole.
For example,
SELECT * FROM tablename WHERE name = '$name';
what if $name is
\'garbage\';DROP TABLE tablename;SELECT \'something
After stripslashes($name)
SELECT * FROM table WHERE name = 'garbage';DROP TABLE tablename;SELECT
'something';
7 matches
Mail list logo
