PHP - security etc
Andy Armstrong
andy at hexten.net
Wed Mar 7 15:42:44 GMT 2007
On 7 Mar 2007, at 14:30, Michael Stillwell wrote:
> But no! For some monstrous reason, any *value* that starts and
> ends with a single quote "will be taken as the name of a file to
> read and send to the database server as the data for the
> appropriate placeholder." So if $name is "'/etc/password'" the
> *contents* of /etc/password get inserted into your database. (See
> http://php.net/odbc_execute.)
Yeah, evidence that the PHP team don't understand the semi-predicate
problem and its friends abound.
See the ridiculous 'magic quotes' switch for similar stupidity.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list