just to clarify: active record database queries are escaped automatically by revIgniter, not by the server engine. Obviously the revIgniter user guide is capable of being misunderstood here. I will change that.
Regarding XSS attacks: revIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. Cheers Ralf On 18.09.2010, at 09:57, Monte Goulding wrote: >> I'm thinking this should suffice where the "positive match" is A-z plus 0-9, >> comma, period and explanation mark... if allowed should suffice, but then I >> may need to deal with SQL injection (PostGreSQL) also. if there is no ";" >> then nothing can happen. But I know it is more complicated that that. > > > According to the revIgniter docs when using the placeholder SQL syntax the db > external escapes the variable/array element for you and therefore protects > you from SQL injection. I can't find that in the rev docs but I imagine Ralf > has investigated. > > Cheers > _______________________________________________ use-revolution mailing list [email protected] Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
