Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
7 - 5 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: Search queries? for xoops search in an IE TOOLBAR
by wrtbooks on 2004/1/8 3:09:38

Quote:
Any other developers of XOOPS 1.x willing to give this a quick look? For me it would take weeks to figure out, but for someone who is very profient in XOOPS it shouldnt be that hard right?

::bump::
Re: Search queries? for xoops search in an IE TOOLBAR
by wrtbooks on 2004/1/5 21:58:59

Quote:
I'm no expert in this area, but there are some steps to take before putting variables in SQL queries - especially GET parameters.

Any other developers of XOOPS 1.x willing to give this a quick look? For me it would take weeks to figure out, but for someone who is very profient in XOOPS it shouldnt be that hard right?
Re: Search queries? for xoops search in an IE TOOLBAR
by Mithrandir on 2004/1/3 22:30:21

It's only a security risk if you do not check the contents of the GET variable before putting it in an SQL query.

I'm no expert in this area, but there are some steps to take before putting variables in SQL queries - especially GET parameters.
Re: Search queries? for xoops search in an IE TOOLBAR
by wrtbooks on 2004/1/3 22:24:05

Quote:
This method, however, can leave your site very vulnerable

Thank you very much for your input, I was feeling it was a security issue why it was setup like that. I wonder if any XOOPS 1.x users have changed or configured the search.php already?
Re: Search queries? for xoops search in an IE TOOLBAR
by Mithrandir on 2004/1/3 18:51:32

Yep, I notice this
Nope, I don't know about XOOPS 1.x - didn't join the wagon before 2.0.3, sorry

If you want your query to run without modifications, it should be a simple yes/no question: Run a search and see if the resulting page has your query in the URL. If it doesn't, then it won't support it out of the box and you'll need to modify search.php to accept query strings through the GET method.

This method, however, can leave your site very vulnerable (but not more vulnerable than an insecure POST form) if you do not make absolutely sure, before running the database query, that the query is a valid one and not an SQL injection query.

Who's Online

204 user(s) are online (170 user(s) are browsing Support Forums)


Members: 0


Guests: 204


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits