Thread: MySQL/PHP Query question
View Single Post
  #3   Spotlight this post!  
Unread 24-05-2004, 09:52
mtrawls's Avatar
mtrawls mtrawls is offline
I am JVN! (John von Neumann)
#0122 (NASA Knights)
Team Role: Programmer
  
Join Date: Mar 2003
Location: Hampton, VA
Posts: 295
mtrawls is a splendid one to beholdmtrawls is a splendid one to beholdmtrawls is a splendid one to beholdmtrawls is a splendid one to beholdmtrawls is a splendid one to beholdmtrawls is a splendid one to beholdmtrawls is a splendid one to behold
Send a message via AIM to mtrawls
Re: MySQL/PHP Query question
Now, I'm no PHP-guru, actually I've never used it before ... but from my experience using perl/cgi I tend to be a bit paranoid. But safely so. The cardinal rule is never trust the user; taint check, taint check, taint check! Not being familiar with PHP, like I said, I don't know if it's possible to do any sort of attack against a script of this nature, but I suspect there is. (Granted the short snippet you show may not suceptible, it's still a good idea to check your input.) E.g., if someone is entering a user-name make sure it only contains allowed characters and is correctly formatted. In perl, anyway, you'd be suprised how easy it is to pass 'rm -r .*' as an argument to something and watch for disastrous effects!

Just a friendly security reminder ... it never hurts to start good habbits early (since you said you were learning PHP). Maybe someone more experienced can comment about specific security woes that you'll have to look out for. But remember that paranoia is good.