|
|
Posted by Erwin Moller on 08/26/05 14:26
Doug Johnston wrote:
> Hi Erwin,
Hi,
>
> Thanks for your reply. I have found strip slashes to work well for me,
> but having to fudge the disappearing zeroes.
Well, look deeper. :-)
The fact you cannot pass name/value pairs around the way you expect is a
sign something is wrong somewhere.
I think you might hit other issues later.
Can you pass around a random string with URL-encode via query-string?
Just make a samplescript, and see if it works.
If not, go check the documentation at php.net and check your php.ini
settings, etc. (use htmlentities to be sure you print a string as it is in
a webpage.)
In cases like this, always spend some extra time figuring it out.
Sometimes 'minor problems' return later on with an extra bite. :-(
Just mu advise of course. :-)
> With regard to security apart from MySQL login and some unique client
> data, the whole lot will be in a protected directory. Is this enough?
Hard to say. What is a protected directory? Like a .htaccess file?
> I
> guess if anyone wants to try hard enough they will get through anything.
Yes and No.
Do not take this the wrong, but that is no valid argument.
If you open a can with topquality crackers, I expect that they can break a
lot of systems.
But that is no excuse for being sloppy and making things easy for the less
talented.
The easier the crack/hack the more people will see it.
I mean: Every webprogrammer immediately recognizes that URL as a
securityhole. (That goes for method POST in a form too by the way.)
I think it is a bad habit to pass queries around like that.
The question is of course is if the receiving script will execute the query.
If it does not (and only stores it somewhere in a logfile eg), the situation
is less serious of course. :-)
Sorry, if I sound patrionizing. (slap me. :P)
> Maybe there is something else I could do?
I always add things like this:
The script that receives the SQL-query should start with checking the
session to be sure the one logged in has accesss to that script.
eg: $_SESSION["admin"] should contain "Y"
if not: terminate the script and scoff the user.
Good luck
Reagrds,
Erwin Moller
>
> Regards
> Doug Johnston
>
Navigation:
[Reply to this message]
|