| Subject: | I've found three different problems... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 1 |
|---|
| Author: | Artur Graniszewski |
|---|
| Date: | 2011-02-25 08:45:44 |
|---|
| |
|
|
Artur Graniszewski rated this package as follows:
| Utility: | Insufficient |
|---|
| Consistency: | Good |
|---|
| Examples: | Good |
|---|
|
|
 Artur Graniszewski - 2011-02-25 08:45:44 I've found three different problems with this class:
a) XSS attacks possible - you should escape strings taken from the database using htmlspecialchars() for options text names and addslashes() for options values
b) SQL injections possible - there is no mysql_real_escape_string() in your class (because of the design decisions allowing to specify WHERE clause and names of the tables columns)
c) there is a typo: $this->options.="<OPTION VALUE='".$this->oid."''".$this->selected."'>".$this->ovalue."</option>";
- why "''" ?
|
