...

View Full Version : seeking bad/dangerous textbox submission tip.



bazz
04-28-2010, 10:41 PM
OK, that title sounds bad if read wrongly.

I have a series of forms and I have regexed them as much as I think is necessary. I would like to know however, if someone would send me a line of code that someone could enter through a text box/textarea, which could show specific data from a db, if security hadn't been added. PM it to me if it is unwise to post publicly.

I am trying to make sure that I haven't leaft a 'door' open to a malicious attack, where I am unable to see there is even the door.

I have regexed out all unnecessary characters from form input and I don't submit it to the db without using placeholders. And I have set permissions on the connection not to allow delete alter or drops. But I can't seem to work out how to prevent an insertion which would allow for a query that outputs db data other than what the form is meant to do.

I want to be sure that someone couldn't, for example, query the db to output either table names or column values.

Any tips or tutorials most welcome.

bazz



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum