Re: Translate attempt
- From: Andreas Leitgeb <avl@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: 30 Jun 2008 09:56:37 GMT
francan00@xxxxxxxxx <francan00@xxxxxxxxx> wrote:
PHP:
if(isset($_GET['getClientId'])){
$res = mysql_query("select * from tableOne where clientID='".
$_GET['getClientId']."'") or die(mysql_error());
if($inf = mysql_fetch_array($res)
I wonder, where the value for 'getClientId' comes from.
If it is part of the browser request, then this is highly
susceptible to SQL-injection, and about equivalent to
posting your web-server's administrator password here.
If the value for 'getClientId' is a guaranteed integer,
and stays on the server (i.e. doesn't do a ping-pong
to the client), and only then, it is ok, and my warning
moot.
.
- References:
- Translate attempt
- From: francan00
- Translate attempt
- Prev by Date: Re: FTPClient and CopyStreamAdapter stop sometimes
- Next by Date: Re: X.509 cert not exporting CA chain?
- Previous by thread: Re: Translate attempt
- Next by thread: Porting a JSF based application from Netbeans 6.1 to Eclipse Ganymede 3.4
- Index(es):
