Graham Anderson said the following on 10/13/05 15:31:
Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and
mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero
concerning security.
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
// decrypt and santize variables
$cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST
['cmd'])) : $cmd="null";
$path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST
['path'])) : $path="null";
.
.
.
the cleanser script:
function cleanser( $value )
{
return mysql_real_escape_string( trim( $value ) ) ;
}
the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored
outside the web folder.
many thanks :)
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your situation.
- Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
