Posted by Rik on 07/14/06 02:10

Frankie wrote:
> ----- Original Message -----
> From: "Robin" <anon@somewhere.com>
> Newsgroups: comp.lang.php
> Sent: Thursday, July 13, 2006 3:25 AM
> Subject: Re: HELP: pesky SQL syntax error using PHP variables
>
>
>> <snip>
>>
>> You cannot guarantee that this value will only be one of your
>> <option> tag values. Posted data is easily forged.
>
> Hmmm.
>
> So you're suggesting all POST data be cleaned, even if it comes from a
> select menu which doesn't allow user input?

Yes. I could send raw headers to your script, but much simpler is to make my
own form with the apropriate names, and post it to your url...

> In this case, a bogus
> POST value would only cause the query to fail, right?

Nope.

> Or could a
> malicious user gain access to the server this way?

Yes and no. If the POST values are used for db queries, one could pretty
much do anything to your database very easily if you haven't protected
yourself against it. Depending on how the rest of your server is setup, and
how sensitive data is kept, maybe even more.

> At the moment, I only clean data that allows direct user input, such
> as text fields.


You should check, escape & clean all data that comes from the users.

Grtz,
--
Rik Wasmus

[Back to original message]