Search the Community
Showing results for tags 'injection'.
Found 4 results
-
Hey guys, i have created a php file which takes two parameters: a subdirectory path a file extension it then echos the complete path pf (glob()) all the files with that extension in the searching folder. I wanted to know the security issues involved with this and how i might use escape methods to make sure someone can't move up the directory listing and get other filename. Are there any other concerns i should have? No data is coming or going to a database however there are other php files on the server which communicate with mySQL. Thanks alot! -
Does this code have mySQL Injection vulnerability? $query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')"; using php5, would this make the code more safe... foreach($array as $key=>$a){ $array[$key] = mysql_real_escape_string($a);} $query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')"; or is there another way to make the code safe?
-
(I'm putting this in PHP since it's not a question specific to MySQL or other DB stuff.) I have a page that uses the GET id to find a product. GET variables are sanitized, and the SQL string is escaped even though it's expecting a number only. So the code seems safe to me. I'm getting some error_log results that appear to be hack attempts: SELECT p.*, t.id as blah FROM some_table p left outer join some_other_table t on p.id = t.product_id WHERE p.id = 139\' and benchmark(20000000,sha1(1))-- Should I be worried about something like this? Anything more (or less) that I should be doing?
-
I'm currently working on a WordPress website project and I am hoping someone can help me out on this. In the registration page, the data entered is stored into the WordPress database. I've also build a connection to store those data into an external database as well. So basically, If a visitor registers on the site, their data info is stored in the WP and external DB. My question is since the external DB relies on checking to see if the submit button has been pressed, do those data input values need to be escaped to prevent sql injection into the external DB since the data submitted to WordPress has already been sql escaped? Thanks for helping.
