[Typo3] Re: How to send form data to Page PHP Content

Jens Scheidtmann Jens.Scheidtmann at bayerbbs.com
Wed Apr 13 09:00:25 CEST 2005


Mark Gillingham <markgill at uwalumni.com> writes:

> // The following is most important, it uses a T3 system function
> to get the page URI
> $this = t3lib_div::getIndpEnv(REQUEST_URI);
> // Determine what system vars I have access to
> $state = t3lib_div::_GP('state') ;
                      ^^^^
>
> $query = 'SELECT * FROM salesrep WHERE statecode=';
> //$query .= '"IL"';
> $query .= '"'.$state.'"';
                ^^^^^^^
>
> $connection = mysql_connect("localhost", "username", "password");
> mysql_select_db("db_name", $connection);
>
> $result = mysql_query($query, $connection);

Doesn't create this a SQL Injection vulnerability?
Shouldn't one use mysql(_real)_escape_string?

http://php.net/mysql_real_escape_string
http://php.net/mysql_escape_string

Jens

-- 
Jens.Scheidtmann at bayerbbs.com



More information about the TYPO3-english mailing list