On Mon, Mar 24, 2008 at 2:40 PM, Daniel Brown <parasane@xxxxxxxxx> wrote: > On Mon, Mar 24, 2008 at 2:29 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote: > > > > It's already been escaped, $business is pulled out of the database > > after they log in. :) > > I don't care, Prune. > > (I still get a kick out of knowing that. Who was it, Jochem or > Zoltan who said that? ;-P) > > NEVER trust that the data is escaped regardless of where it > originated. Supposed someone else writes a script to tie into your > database and doesn't escape it, and Hagar The Horrible's > great-great(^15) grandson, Hacker The Horndog comes in and finds the > vulnerability, and enters the company name as "';DELETE FROM current > WHERE 1;SELECT * FROM current WHERE 1 "? > > Bye, data. > > Learn: http://xkcd.com/327/ > > > -- > </Daniel P. Brown> > Forensic Services, Senior Unix Engineer > 1+ (570-) 362-0283 > > -- > > > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Jason, Listen to Daniel's advice on this. Hacker issues aside, wouldn't it be embarrassing if someone typed O'Brien in the input field and it gave a white screen or worse yet text that said "Error with SQL?" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
