On Nov 28, 2008, at 16:59, Michele Waldman wrote:
What about inserting a comment
<script>alert(‘hi’);</script>’; delete from users;
Like I’m going to name my table users?
With that one statement about they have performed a sql injection
and html injection in one stroke.
Bada bing bada bang bada boom
Next time I display their comment out of the database they are
popping up an alert to every user and my users are gone.
Michele
Two words: escape output
--
Chris Shiflett
http://shiflett.org/
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
