Are you attempting to escape that string? If not, you should be The UserAgent header can't be trusted because every browser vendor has the liberty to do pretty much what they want to it (there is no consistent standard) and some browsers (ie. Opera) allow users to set the UserAgent to any arbitrary string, so it si inevitable that you will get unsafe input sooner or later.
- michael dykman On Sun, Feb 8, 2009 at 12:31 AM, <mik...@qualityadvantages.com> wrote: > Hello mysql, > > On one of my sites, I have a query that logs attempts to access the > site by potential bad guys. It has been working for more than a year > with out a problem. Today, I got a database error because an > unescaped ' in one of the arrays that I collect. When I check the > error I found a very curious condition in the useragent log entry. > > Here is the excerpt: > > ,\'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) > Gecko/2009011913 > Firefox/3.0.6', > > Notice the backslash in front to the quote delimiter. How did that get > there? Anybody have a guess? > > The database comes from a call to $_SERVER['HTTP_USER_AGENT']; > > -- > Best regards, > mikesz mailto:mik...@qualityadvantages.com > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=mdyk...@gmail.com > > -- - michael dykman - mdyk...@gmail.com - All models are wrong. Some models are useful. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
