| Re: Search queries? for xoops search in an IE TOOLBAR |
| by wrtbooks on 2004/1/8 3:09:38 Quote: Any other developers of XOOPS 1.x willing to give this a quick look? For me it would take weeks to figure out, but for someone who is very profient in XOOPS it shouldnt be that hard right? ::bump:: |
| Re: Search queries? for xoops search in an IE TOOLBAR |
| by wrtbooks on 2004/1/5 21:58:59 Quote: I'm no expert in this area, but there are some steps to take before putting variables in SQL queries - especially GET parameters. Any other developers of XOOPS 1.x willing to give this a quick look? For me it would take weeks to figure out, but for someone who is very profient in XOOPS it shouldnt be that hard right? |
| Re: Search queries? for xoops search in an IE TOOLBAR |
| by Mithrandir on 2004/1/3 22:30:21 It's only a security risk if you do not check the contents of the GET variable before putting it in an SQL query. I'm no expert in this area, but there are some steps to take before putting variables in SQL queries - especially GET parameters. |
| Re: Search queries? for xoops search in an IE TOOLBAR |
| by wrtbooks on 2004/1/3 22:24:05 Quote: This method, however, can leave your site very vulnerable Thank you very much for your input, I was feeling it was a security issue why it was setup like that. I wonder if any XOOPS 1.x users have changed or configured the search.php already? |
| Re: Search queries? for xoops search in an IE TOOLBAR |
| by Mithrandir on 2004/1/3 18:51:32 Yep, I notice this Nope, I don't know about XOOPS 1.x - didn't join the wagon before 2.0.3, sorry ![]() If you want your query to run without modifications, it should be a simple yes/no question: Run a search and see if the resulting page has your query in the URL. If it doesn't, then it won't support it out of the box and you'll need to modify search.php to accept query strings through the GET method. This method, however, can leave your site very vulnerable (but not more vulnerable than an insecure POST form) if you do not make absolutely sure, before running the database query, that the query is a valid one and not an SQL injection query. |