On Thu, Jun 08, 2006 at 11:42:09AM -0400, Chris Morgan wrote:
Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-)
no ;P
I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue.
if the magic quote thingy is turned on, then my code below wont do any harm (as the ' from the user input is turned into '). well but there are other ways to inject code (e.g. encode the ' in some other way). at least a intval($_REQUEST['appId']) would be step in the right direction.
appId='"$_REQUEST['appId']."';";
with appId="' or 1=1;'"?