> Always, always, always sanitized input from the user. These hackers will > screen scrap web pages to get interesting looking links/forms and then send > them directly to your script trying to break it. >
As Ken said, always sanitize. Your input should assume that the data came from a source you know nothing about, not by a form or link you created. Forms and links should be designed to assist the user, not dictate your input structure. It really shouldn't matter that someone is trying to hack your site in the way you presented. It's just extra traffic. If your site can be compromised in that way, then the problem is with your code. What if someone submitted: Mode=last" OR 1=1 Would your query select the latest members or those where 1=1 (all). Anyone can ticker with a URL and it's not that hard to "emulate" a form post using curl. -- Brent Baisley _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
