> The only data returned by a browser in a "Cookie" header is the > name/value pairs. So, your example would not pose a threat of any sort. > The "Referer" and "User-Agent" are separate headers, but like all data > from the client, they should also not be trusted. > > If you have magic quotes enabled, you're probably safe. It is actually > best not to just addslashes() again "to be sure" for any data. Rather, > echo the value of your data to the screen during development, and test > to be sure that your single quotes are escaped like you think they > should be.
Exactly... the name would be "tececo_stats" and the value would be "bad_data','bad_time','bad_host','bad_referrer','bad_agent')#" If slashes are not getting added to that data, either by magic quotes or by addslashes(), then he's open to getting bad data inserted into his table... If magic_quotes_gpc is ON, then you're fine... ---John Holmes... > Chris > > 1LT John W. Holmes wrote: > > >Yeah, magic_quotes will be enough, but it only handles GET, POST, and > COOKIE > >data. I'm not sure what SERVER variables can be trusted, so it wouldn't > hurt > >to addslash them... > > > >There isn't much of a risk to your query, but someone could still mess > >things up. If they formatted a cookie like > > > >$_COOKIE['tececo_stats'] = > >"bad_data','bad_time','bad_host','bad_referrer','bad_agent')#"; > > > >it would allow them to insert bad data into your table... > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
