Thread: PHP security
View Single Post
  #3  
Old 09-12-2006, 11:31 AM
OMAG OMAG is offline
OSP Starters
  
Join Date: Sep 2006
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
OMAG is on a distinguished road
Default
anytime you use a variable to update a piece of a mysql_query, USE mysql_real_escape_string ON EVERY VARIABLE that the user has an opportunity to manipulate!
IE
mysql_query("SELECT * FROM books WHERE book_title = '".mysql_real_escape_string($_POST['book_title'])."'");
and, also, never output and input variable to the output (like as an error). This opens it up for XSS
bye -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --
Reply With Quote
  Webmaster Forums - View Single Post - PHP security
Thread: PHP security
View Single Post
  #3  
Old 09-12-2006, 11:31 AM
OMAG OMAG is offline
OSP Starters
  
Join Date: Sep 2006
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
OMAG is on a distinguished road
Default
anytime you use a variable to update a piece of a mysql_query, USE mysql_real_escape_string ON EVERY VARIABLE that the user has an opportunity to manipulate!
IE
mysql_query("SELECT * FROM books WHERE book_title = '".mysql_real_escape_string($_POST['book_title'])."'");
and, also, never output and input variable to the output (like as an error). This opens it up for XSS
bye -- This message may have been cut off and the rest will only be shown to members. To become a member, click here --
Reply With Quote