|
seeking bad/dangerous textbox submission tip.
OK, that title sounds bad if read wrongly.
I have a series of forms and I have regexed them as much as I think is necessary. I would like to know however, if someone would send me a line of code that someone could enter through a text box/textarea, which could show specific data from a db, if security hadn't been added. PM it to me if it is unwise to post publicly.
I am trying to make sure that I haven't leaft a 'door' open to a malicious attack, where I am unable to see there is even the door.
I have regexed out all unnecessary characters from form input and I don't submit it to the db without using placeholders. And I have set permissions on the connection not to allow delete alter or drops. But I can't seem to work out how to prevent an insertion which would allow for a query that outputs db data other than what the form is meant to do.
I want to be sure that someone couldn't, for example, query the db to output either table names or column values.
Any tips or tutorials most welcome.
bazz
__________________
"The day you stop learning is the day you become obsolete"! - my late Dad.
Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
Useful MySQL resource
Useful MySQL link
|
Before you post, read our: 
