Posted by Robin on 07/14/06 08:42

Frankie wrote:
> ----- Original Message -----
> From: "Robin" <anon@somewhere.com>
> Newsgroups: comp.lang.php
> Sent: Thursday, July 13, 2006 3:25 AM
> Subject: Re: HELP: pesky SQL syntax error using PHP variables
>
>><snip>
>>
>>You cannot guarantee that this value will only be one of your <option>
>>tag values. Posted data is easily forged.
>
> Hmmm.
>
> So you're suggesting all POST data be cleaned, even if it comes from a
> select menu which doesn't allow user input? In this case, a bogus POST value
> would only cause the query to fail, right? Or could a malicious user gain
> access to the server this way?
>
> At the moment, I only clean data that allows direct user input, such as text
> fields.

As Rik says, trust nothing that has come from the user as users cannot
be trusted! Don't rely on the standard way browsers restrict the posted
data (such as select tags), or even javascript validation before submission.

Note: (often forgotten) that $_SERVER['PHP_SELF'] comes from the user
too and can be used for cross site scripting attacks (see
http://en.wikipedia.org/wiki/XSS ).

Robin

• Next in forum: socket deadlock
• Prev in forum: Re: calling a javascript alert from php
• Thread view: Re: HELP: pesky SQL syntax error using PHP variables

[Reply to this message]