Vulnerability Development mailing list archives
Re: Is this PHP code secure from CSS ?
From: "Meder Kydyraliev" <meder () areopag net>
Date: Wed, 1 Oct 2003 13:09:48 +0600 (KGST)
You migh also want to check out: http://libox.net/sanitize.php People already written functions that you should use Hope that helps, Meder
Le ven 26/09/2003 Ю 17:21, kha a Иcrit :$login = mysql_escape_string($post-login); $password = mysql_escape_string($post-password); $lines = performQuery("select id from users where name='$login' and pass='$password'"); Do i need only the mysql_escape_string function to prevent sql injections in the form or i should perform other checks ?You should perform any test you can perform. mysql_escape_string can happen to be buggy one day, who knows. Another cool function you can use for input validation is PHP safe mode magic_quotes_* settings. Anyway, if you decide both login and password should contains only alphanumeric characters, you should enforce $login and $password against a [a-zA-Z0-9] based expression before constructing your SQL query.NB : passwords are not yet encrypted in the database.:/ NB : what you want to avoid here is not CSS (one usually says XSS), but SQL injection. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Current thread:
- Re: Is this PHP code secure from CSS ? Meder Kydyraliev (Oct 01)
