|
|
Posted by Erwin Moller on 12/01/06 13:00
plemon wrote:
> and there server im on is locked down like sadam so there not getting
> in to do that and my ftp yeah sure they can try to crack it heh
It is a common mistake to think you are safe if the server is allright.
If the programmers on the secure server make mistakes, the server cannot do
a thing about it.
If your server is military strength, and runs a webserver running PHP
without magic_quotes_gpc, it is very easy to use SQL-injection, no matter
how 'safe' the server is.
Security is no magic. And it starts with programmers taking it seriously.
If you do not know what SQL-injection is, chances are you didn't write safe
code.
Really, I warned you 3 times in this thread, and you still don't listen.
So my advise is once again: Do yourself a favor, and make sure you
understand what SQL-injection is and how to protect yourself.
Google for it, understand it, then program the rest of your site.
Regards,
Erwin Moller
> Erwin Moller wrote:
>> so many sites so little time wrote:
>>
>> > alright so i deleted the part about you must have made a mistake in
>> > using this page
>> > and added
>> > if (!$r) {
>> > // There was an error
>> > // for simplicity sake, I'll just print it and exit
>> > exit('Error in query (' . $query . '): ' . mysql_error());
>> > }
>> > and as you can see at kirewire.com/pp2/update_site.php
>> > all it says now is you must have made a mistake in your query
>> >
>> > agian the queries are:
>> >
>> > <snip>
>> > // Define the query.
>> > $query = "UPDATE home SET header='{$_POST['header']}',
>>
>> Did you fix the SQL-injection vunerability I was warning you about?
>> No.
>> Reread my post.
>> Do yourself a favor and fix it.
>>
>> Regards,
>> Erwin Moller
Navigation:
[Reply to this message]
|