Yeah, or these two words: "Filter Input"
Which ever route you take. you also need to do sql injection cleansing.
scrub, rinse, repeat.
On Fri, Nov 28, 2008 at 8:00 PM, Chris Shiflett <[EMAIL PROTECTED]> wrote:
> On Nov 28, 2008, at 16:59, Michele Waldman wrote:
>
> What about inserting a comment
>>
>> <script>alert('hi');</script>'; delete from users;
>>
>> Like I'm going to name my table users?
>>
>> With that one statement about they have performed a sql injection and html
>> injection in one stroke.
>>
>> Bada bing bada bang bada boom
>>
>> Next time I display their comment out of the database they are popping up
>> an alert to every user and my users are gone.
>>
>> Michele
>>
>
> Two words: escape output
>
> --
> Chris Shiflett
> http://shiflett.org/
>
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
