[FX.php List] character encoding issue?
DC
dan.cynosure at dbmscan.com
Thu Feb 16 19:55:51 MST 2006
andy,
be super careful passing superglobals directly into FMP.
the code you posted below might be exploited by sending this:
http://site.com/login.php?username=*
try it and let us know what you find. the "eq" parameter might give
you some protection against this asterisk, but i think even that
could be thwarted by some clever request.
best rule is... don't pass user input directly to anything until it
has been sanitized.
dan
On Feb 16, 2006, at 6:55 PM, Andy Gaunt wrote:
> $query->AddDBParam( 'email',
> str_replace('@','\@',$_REQUEST['username']),"eq" );
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20060216/60910055/attachment.html
More information about the FX.php_List
mailing list