NYCPHP Meetup

[Brent Baisley]

> Always, always, always sanitized input from the user. These hackers will
> screen scrap web pages to get interesting looking links/forms and then send
> them directly to your script trying to break it.
>

As Ken said, always sanitize. Your input should assume that the data
came from a source you know nothing about, not by a form or link you
created. Forms and links should be designed to assist the user, not
dictate your input structure. It really shouldn't matter that someone
is trying to hack your site in the way you presented. It's just extra
traffic. If your site can be compromised in that way, then the problem
is with your code.
What if someone submitted:
 Mode=last" OR 1=1
Would your query select the latest members or those where 1=1 (all).
Anyone can ticker with a URL and it's not that hard to "emulate" a
form post using curl.

--
Brent Baisley