Menu
News
All News
Dungeons & Dragons
Level Up: Advanced 5th Edition
Pathfinder
Starfinder
Warhammer
2d20 System
Year Zero Engine
Industry News
Reviews
Dragon Reflections
White Dwarf Reflections
Columns
Weekly Digests
Weekly News Digest
Freebies, Sales & Bundles
RPG Print News
RPG Crowdfunding News
Game Content
ENterplanetary DimENsions
Mythological Figures
Opinion
Worlds of Design
Peregrine's Nest
RPG Evolution
Other Columns
From the Freelancing Frontline
Monster ENcyclopedia
WotC/TSR Alumni Look Back
4 Hours w/RSD (Ryan Dancey)
The Road to 3E (Jonathan Tweet)
Greenwood's Realms (Ed Greenwood)
Drawmij's TSR (Jim Ward)
Community
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Resources
Wiki
Pages
Latest activity
Media
New media
New comments
Search media
Downloads
Latest reviews
Search resources
EN Publishing
Store
EN5ider
Adventures in ZEITGEIST
Awfully Cheerful Engine
What's OLD is NEW
Judge Dredd & The Worlds Of 2000AD
War of the Burning Sky
Level Up: Advanced 5E
Events & Releases
Upcoming Events
Private Events
Featured Events
Socials!
EN Publishing
Twitter
BlueSky
Facebook
Instagram
EN World
BlueSky
YouTube
Facebook
Twitter
Twitch
Podcast
Features
Top 5 RPGs Compiled Charts 2004-Present
Adventure Game Industry Market Research Summary (RPGs) V1.0
Ryan Dancey: Acquiring TSR
Q&A With Gary Gygax
D&D Rules FAQs
TSR, WotC, & Paizo: A Comparative History
D&D Pronunciation Guide
Million Dollar TTRPG Kickstarters
Tabletop RPG Podcast Hall of Fame
Eric Noah's Unofficial D&D 3rd Edition News
D&D in the Mainstream
D&D & RPG History
About Morrus
Log in
Register
What's new
Search
Search
Search titles only
By:
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Menu
Log in
Register
Install the app
Install
Upgrade your account to a Community Supporter account and remove most of the site ads.
Enchanted Trinkets Complete--a hardcover book containing over 500 magic items for your D&D games!
Community
General Tabletop Discussion
*TTRPGs General
O.G.R.E. is here!
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Janx" data-source="post: 6022566" data-attributes="member: 8835"><p>ah yes, the dread apostrophe (or Single Quote). That's actually a risk for SQL Injection attacks, and should be addressed ASAP.</p><p></p><p>EVERY field coming in from the screen that is incorporated into an SQL query should be run through a function to safety pad the value before it is concatenated to the query. I cannot stress that enough.</p><p></p><p>forex:</p><p>$val = $POST["txtName"];</p><p>$sql = "select * from Names where Name like '" + $val + ';"</p><p></p><p>this means that I can type "';drop database YourDB; select '" into the txtName text box on the screen and get it to run my bit of SQL to drop your database, or something else.</p><p></p><p>I'd have to look up the best recommendation for PHP, in general it's using a function like quotesmart() or just replacing all single quotes with a pair of single quotes.</p><p></p><p>$val = quotesmart($FORM["txtName"]);</p><p></p><p>To slobster, you can work around this bug by using a pair of single quotes:</p><p>Janx's Great Spell -> Janx''s Great Spell</p><p></p><p>When SQL sees a pair of single quotes, it realizes you mean to use a singlequote as content, and not signal the end of the single-quoted value.</p></blockquote><p></p>
[QUOTE="Janx, post: 6022566, member: 8835"] ah yes, the dread apostrophe (or Single Quote). That's actually a risk for SQL Injection attacks, and should be addressed ASAP. EVERY field coming in from the screen that is incorporated into an SQL query should be run through a function to safety pad the value before it is concatenated to the query. I cannot stress that enough. forex: $val = $POST["txtName"]; $sql = "select * from Names where Name like '" + $val + ';" this means that I can type "';drop database YourDB; select '" into the txtName text box on the screen and get it to run my bit of SQL to drop your database, or something else. I'd have to look up the best recommendation for PHP, in general it's using a function like quotesmart() or just replacing all single quotes with a pair of single quotes. $val = quotesmart($FORM["txtName"]); To slobster, you can work around this bug by using a pair of single quotes: Janx's Great Spell -> Janx''s Great Spell When SQL sees a pair of single quotes, it realizes you mean to use a singlequote as content, and not signal the end of the single-quoted value. [/QUOTE]
Insert quotes…
Verification
Post reply
Community
General Tabletop Discussion
*TTRPGs General
O.G.R.E. is here!
Top
