On Mon, 2005-03-21 at 20:19 -0500, ted@gould.cx wrote:
> On Mon, 21 Mar 2005, Craig White wrote:
> > I have a problem with quoting strings
> <snip>
> > which when POSTed - results in...
> 
> AH!  Don't pass an SQL query as a variable to a webpage.  That means, if 
> someone figures out what you're doing they can query anything in your 
> database.  They could post any SQL query that they wanted.  Unless this 
> is a very internal site, or you're somehow validating that string, you 
> should change the way you're approaching this problem.
> 
----
thanks for the advice - I suppose that I could pass the variables that I
used to identify/define the search itself, I could probably 'rebuild'
the string on the target - but this is in essence internal, it carries
no credentials, only the search string via a unix socket so I am not so
fearful.

Fields and values wouldn't be that hard to deduce - GPL software / known
users.

Craig

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss