|
|
Posted by Erwin Moller on 11/24/06 17:35
so many sites so little time wrote:
<snip>
> $query = "UPDATE home SET header='{$_POST['header']}',
This approach id possibly vunarable to SQL-injection.
That is bad.
NEVER trust data coming from GET, POST or COOKIE.
Possibly you have magic quotes enabled in php.ini, but you should at least
check for that.
It is much better to set up your applicatie right from the start than fixing
it afterward (after some funny guy gave the command to delete the database
by inserting that command in your 'header' variable).
Anybody who knows how SQL is formulated can come up with an SQL-injection
command. It is easy.
If you don't know what I am talking about (eg you don't know what magic
quotes are and how they change your data and WHY) then you better take a
break from developing your app and learn about that part first.
Regards,
Erwin Moller
Navigation:
[Reply to this message]
|