| Subject: | First of all, if a value is numeric,... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 4 |
|---|
| Author: | Sven Dunemann |
|---|
| Date: | 2011-08-04 19:01:17 |
|---|
| Update: | 2011-10-03 08:28:40 |
|---|
| |
|
|
Sven Dunemann rated this package as follows:
| Utility: | Bad |
|---|
| Consistency: | Sufficient |
|---|
| Examples: | Sufficient |
|---|
|
|
 Sven Dunemann - 2011-08-04 19:01:17 First of all, if a value is numeric, there won't be any char like <, > or " because with this chars value is a string.
Also it is easy to manipulate SESSIONs, so here we can INJECT the database because there is no escape of $username = $_SESSION['user'] which can be faked.
Sorry but this class is very bad and not usefull.
Try next time when you know how to handle injections ;)
 omid zarifi - 2011-09-01 11:29:01 - In reply to message 1 from Sven Dunemann$username just for example.
u not use this variant ( $username ).
i will fix this problems in next version of this class .
thank you
omid zarifi - 2011-09-01 11:41:34 - In reply to message 1 from Sven Dunemann
 Martin Pircher - 2011-10-03 08:28:41 - In reply to message 3 from omid zarifiInjection is still possible as you do not escape $br.
Could be easily fixed by mysql_real_escape_string($br).
|
