|
|
Posted by Kim Andrι Akerψ on 02/05/07 23:54
Jerry Stuckle wrote:
> Rik wrote:
> >Ramon <info@kwekerijschiffelers.nl> wrote:
> >
> > > The length of the string is +/= 1200 characters. The maximum for
> > > IE is 2048, and for other browsers even longer...
> > >
> >
> > Hmmz, you're right. I've tested it, and here it works perfectly.
> > rawurlencoded yields about 1270 characters, and I can get them back
> > nicely without any trouble, the full string.
> >
> > Seems a configuration issue of either PHP, browser of webserver to
> > me, but I'm not going to find out: it still seems very silly to me
> > to try this in a GET. --Rik Wasmus
>
> Yep, in addition, it's very insecure. I could just put in my browser
> windows
>
> http://www.example.com?sql=delete%20from%20orders
Or even worse (just to prove a point to the OP):
http://www.example.com?sql=drop%20table%20orders
> You shouldn't even attempt to put a sql statement in the $_GET or
> $_POST string. Rather, put only the values you need for the query.
>
> Or save the query in the $_SESSION.
--
Kim AndrΓ© AkerΓΈ
- kimandre@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)
Navigation:
[Reply to this message]
|