PHWinfo - Afficher un message

11/09/2007, 19h10

Jason Pruim wrote:
>
> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>
>> Also read http://en.wikipedia.org/wiki/SQL_injection
>
> I have read about SQL injection, and I will be scrubbing the data before
> searching but the search is only available after logging into the
> system. No one who isn't logged in can even view the page

That couldn't be less relevant. Repeat after me... "Legitimate" users
can be malicious too. All data going into a SQL statement needs to be
escaped unless it's a hard-coded string. No exceptions. Ever.

-Stut

--
http://stut.net/

11/09/2007, 19h10	#5
Stut Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... Jason Pruim wrote: > > On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: > >> Also read http://en.wikipedia.org/wiki/SQL_injection > > I have read about SQL injection, and I will be scrubbing the data before > searching but the search is only available after logging into the > system. No one who isn't logged in can even view the page That couldn't be less relevant. Repeat after me... "Legitimate" users can be malicious too. All data going into a SQL statement needs to be escaped unless it's a hard-coded string. No exceptions. Ever. -Stut -- http://stut.net/