|
|
Posted by Sebastian Lisken on 10/11/85 12:00
Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@spamyourself.com> wrote:
> Your app accepts complete SQL-commands from the outside?
> Are you sure that is allright?
Of course not. When I wrote "SQL strings" I meant just that: user input
that becomes a string as regarded by SQL's grammar. Not a keyword or a
number. Something like
"SELECT FROM tblusers WHERE name='" . mysql_real_escape_string($_GET['username']) . "';"
Just as a different example, if the value becomes a number I'd use
it without single quotes or an escape function but validate it using
is_numeric instead.
> No, not an XSS attack. The PHPSESSID is only used to maintain a session
> with some client.
> But in case you wrote your own sessionhandlers, you should take precautions.
> If you use default sessions (file) don't worry.
>
> Of course you should always worry about sessionstealing.
I have of course read up on all of this. I'm not saying I'd never need
to remind myself of that issue again, or that further thoughts are not
welcome, but I'd really prefer this thread not to become a general PHP
security roundup. I'm looking for answers to my specific question:
Could SID be manipulated to contain something nasty instead of
"Name_of_session_id_variable=hexadecimal_session_id", so that it might
warrant escaping?
Sebastian
Navigation:
[Reply to this message]
|