|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Is this PHP code secure from CSS ?
From: Cedric Blancher (blancher
cartel-securite.fr)
Date: Fri Sep 26 2003 - 15:11:24 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le ven 26/09/2003 à 17:21, kha a écrit :
> $login = mysql_escape_string($post-login);
> $password = mysql_escape_string($post-password);
> $lines = performQuery("select id from users where name='$login' and
> pass='$password'");
> Do i need only the mysql_escape_string function to prevent sql injections in
> the form or i should perform other checks ?
You should perform any test you can perform. mysql_escape_string can
happen to be buggy one day, who knows. Another cool function you can use
for input validation is PHP safe mode magic_quotes_* settings.
Anyway, if you decide both login and password should contains only
alphanumeric characters, you should enforce $login and $password against
a [a-zA-Z0-9] based expression before constructing your SQL query.
> NB : passwords are not yet encrypted in the database.
:/
NB : what you want to avoid here is not CSS (one usually says XSS), but
SQL injection.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]