Stuart Felenstein wrote:
I just remembered something (smacks myself in the head) In both my multi select and select menus I use dynamic options (meaning the options available come from a table. So: Table for states would look like this: +----------+-------------------+ | StateID | State [Label | +----------+-------------------+ | 1 | Arkansas | +----------+-------------------+ | 2 | Alabama | +----------+-------------------+ | 3 + Arizona | +----------+-------------------+
What gets stored in the database is the StateID, the column is an int. My understanding is the database just won't accept anything but an int. I mean I'm jamming on my keys now and the only thing the column will take is a real number.
Based on this I think a hacker can do whatever they want by saving the page and altering the input but all it would do is fail on insertion.
This make sense ?
Yes, this makes sense, it's a commonly used technique aswell =/
And I'm not trying to be lazy here , only practical. Of course, should I still be polite to hackers by still testing for invalid characters :)
Stuart
--- Graham Cossey <graham@xxxxxxxxxxxxxxx> wrote:
[snip]
How would a hacker pass an HTTP message ? That is interesting.
read the off-list posted message from php-list-replies@xxxxxxxxxxxxxxxxxxxxx
(reproduced below for the benefit of other list members)
Graham ------
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
