Web Analytics Made Easy -
StatCounter A script that stops the use of a query. - CodingForum

Announcement

Collapse
No announcement yet.

A script that stops the use of a query.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • A script that stops the use of a query.

    mysql_query("DROP database")
    Somebody use a query similar to that in my old forum and it broke my db,so its there a way to make that query get ignored no matter what?

    And how do I make this tag not usable:
    PHP Code:
    <tr
    It brakes all the tables in threads so is there a way to stop that tag from taking effect?
    By all that I mean not usable in threads,that if people post something with those tags,the tags get ignored,I didnt meant the <tr's> of the php files.

  • #2
    Before you do any queries to the database encode any user input variables with mysql_real_escape_string which should take care of any mysql injections. To prevent the <tr> use htmlentities around any posts. This prevents any html tags being used.

    Comment


    • #3
      olso you can use strip_tags() and htmlspecialchars()
      Free php image upload script
      Personal web developing blog

      Comment


      • #4
        the most obvious prevention is that you should have created a new database-user that did not have permission to drop databases or tables or to drop/create new users etc, and that you would have used this new user inside the connectionstrings on your forum...
        you of course need to sanitize all user-input, but you should also reduce the impact of someone getting a query through, by giving your php db-user the absolute minimum of permissions that it needs to have. just comon sense, realy...
        Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

        Comment

        Working...
        X