--- David Otton <[EMAIL PROTECTED]> wrote: > I can't be bothered to figure out a test case, but you apparently have > a SQL injection risk with your code. You're assuming that the data from > the client is correct.
This is a very good point. To highlight an example in the sample code you provided (that David is referencing, I assume), look at the following: > foreach ($_POST['accomodatieid'] as $Key => $Value) > { > $query = "INSERT INTO ttra (reisid, accomodatieid) > VALUES ($id2, $Value)"; > $result = mysql_query ($query) You're using values from $_POST (which can be anything, since it's data supplied by a user, potentially a malicious one) directly in the SQL statement that you send to MySQL. This grants a lot of power and flexibility to the user, which is very dangerous. In addition, you loop through $_POST, so that even unexpected data might be used. This is even worse than expected data with an unexpected format. To fix this, assign the data you find in $_POST to another variable (or array) once you determine that it is valid. For example: $safe = array(); if ($_POST['foo'] is valid data) { $safe['foo'] = $_POST['foo']; } Then, you can use the $safe array, and only a flaw in your data filtering (whatever code you use for "is valid data" above) will create the same security hole that you currently have. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php