2008. 03. 24, hétfő keltezéssel 14.40-kor Daniel Brown ezt írta: > On Mon, Mar 24, 2008 at 2:29 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote: > > > > It's already been escaped, $business is pulled out of the database > > after they log in. :) > > I don't care, Prune. > > (I still get a kick out of knowing that. Who was it, Jochem or > Zoltan who said that? ;-P) /me points at Jochem ;) greets Zoltán Németh > > NEVER trust that the data is escaped regardless of where it > originated. Supposed someone else writes a script to tie into your > database and doesn't escape it, and Hagar The Horrible's > great-great(^15) grandson, Hacker The Horndog comes in and finds the > vulnerability, and enters the company name as "';DELETE FROM current > WHERE 1;SELECT * FROM current WHERE 1 "? > > Bye, data. > > Learn: http://xkcd.com/327/ > > -- > </Daniel P. Brown> > Forensic Services, Senior Unix Engineer > 1+ (570-) 362-0283 > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
