Posted by Sandman on 12/19/06 12:30

In article <HLydnaQz665uUxrYnZ2dnUVZ_uS3nZ2d@cablespeedmi.com>,
bill <nobody@spamcop.net> wrote:

> MySQL newbie, not new to computing.
>
> In my application I accept photos and data, some structured and
> some free text. I store the information (but not the images) in a
> MySQL database and then from that information I construct a web
> page for the user.
>
> The images are always displayed within an <img tag.
>
> The text is displayed as part of the web page, within <p> tags.
>
> The users are all registered and (more or less) trusted individuals
>
> <paranoid mode on>
>
> 1: Do I need to worry about SQL injection if I do not process the
> incoming free form data ?

Worry? Maybe not. Prevent? Yes.

> 2: Do I need to worry about PHP statements being embedded in the
> free form data ?

No. PHP statements in form data wont' be executed.

But, if they upload an "image" that really is "malware.php" and you
save it to disk and it can be browsed to through DOCUMENT_ROOT, then
it will be executed and it could do all sorts of nasty stuff.

> 3: if so, what is the best practices to protect my database/site ?

Make it ugly so no one will use it :-D



--
Sandman[.net]

[Back to original message]