OZONE Asylum
Forums
Server-Side Scripting - Oh my!
PHP injection security?
This page's ID:
28059
Search
QuickChanges
Forums
FAQ
Archives
Register
Edit Post
Who can edit a post?
The poster and administrators may edit a post. The poster can only edit it for a short while after the initial post.
Your User Name:
Your Password:
Login Options:
Remember Me On This Computer
Your Text:
Insert Slimies »
Insert UBB Code »
Close
Last Tag
|
All Tags
UBB Help
Hi all... Just wondering, ive turned magic quotes off on my server as it causes all amounts of problems! Obviously now I have to manually addslashes to my $_POST and $_GET variables which i am using, before I use them in my mysql Query. To do this I am using mysql_real_escape_string... this part is all fine. The question I have: is there a vulnerability in using these variables around a php script before they have slasshes added. E.g Say i have a simple POST form, with an input field called myVar. So in php to use this i do [code] $myVar = $_POST['myVar']; [/code] I then use $myVar around the script, check it for characters I want to allow and that sort of thing. If it contains invalid characters i will do somethign like [code] print $myVar . 'contains invalid characters, please try again'; [/code] So ... can someone enter something into the input field with some php code, to break out and enter any php they want? Like could they do "'somavar'; <?php insert some bad php here ?> Basically can they use the $_POST variable to break out of my code and enter there own in the current script?
Loading...
Options:
Enable Slimies
Enable Linkwords
« Backwards
—
Onwards »
Maximum Security
OZONE
DHTML/Javascript
Server-Side Scripting - Oh my!
CSS - DOM - XHTML - XML - XSL - XSLT
Stupid Basic HTML
Visual Therapy
Photoshop
Photoshop Pong, Anyone?
***WARNING*** BIG SIG APPROACHING
Photography
3D Modelling & Rendering
Multimedia/Animation
Print Graphics
Holding Pens
Philosophy and other Silliness
Outpatient Counseling
Site reviews!
Mad Scientists' Laboratory
Getting to know the Grail