|
|
Posted by alanbe on 02/17/07 22:47
On Feb 17, 1:38 pm, Schraalhans Keukenmeester <bitbuc...@invalid.spam>
wrote:
> alanbe wrote:
> > Someone filled out a comment form to me with the following string
> > within the message:
>
> > #file=E:\\util\\xr32\\Projects\\www42t35Href.txt
>
> > The comments are stored in a mysql database
> > When php generates the page to display this field, it looks like this:
>
> > #file=E:\util\xr32\\Projects\www42t35Href.txt
>
> > If I use something like
> > DELETE FROM database where lower(`comments`) like "%file=
> > %"
>
> > or if i try
> > DELETE FROM database where lower(`comments`) like "%\%"
>
> > it fails to detect the string.
>
> > How do I detect and rid this kind of posting?
>
> If this is in your db, I gather you (also) haven't got good measures in
> your script preventing SQL injection? If that's the case it's really
> easy to do a lot of damage to your database.
>
> Google has plenty hits on this topic, if it's new to you, read up!
> PHP has a function to prevent harmful user input strings from wreaking
> havoc on your db: mysql_real_escape_string() could be a real friend.
>
> Sh.
Advice taken.
I reviewed a few pages on how to use mysql_real_escape_string() and
I implemented it. Also did a little more pre-post security checking.
Thanks
Navigation:
[Reply to this message]
|