On Mon, Mar 24, 2008 at 2:29 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote:
>
> It's already been escaped, $business is pulled out of the database
> after they log in. :)
I don't care, Prune.
(I still get a kick out of knowing that. Who was it, Jochem or
Zoltan who said that? ;-P)
NEVER trust that the data is escaped regardless of where it
originated. Supposed someone else writes a script to tie into your
database and doesn't escape it, and Hagar The Horrible's
great-great(^15) grandson, Hacker The Horndog comes in and finds the
vulnerability, and enters the company name as "';DELETE FROM current
WHERE 1;SELECT * FROM current WHERE 1 "?
Bye, data.
Learn: http://xkcd.com/327/
--
</Daniel P. Brown>
Forensic Services, Senior Unix Engineer
1+ (570-) 362-0283
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
