Mar 16th, 2009, 9:09 PM
Hi Joseph,
Hmmm! I really don't think this is a problem.
To prevent XSS / code injection attacks, PHP best practices recommend using calling mysql_real_escape_string() on incoming values prior to using them in any DB queries. This is what FT2 does (and I think FT1, too). It wards against these type of attacks.
Hope this info helps.
If you're still worried, would it be possible to get some more details? Perhaps an illustration of such a hack could take place (email it to me, rather than post it here!). Security problems are always a BIG concern, so I'll be sure to address it first.
- Ben
Hmmm! I really don't think this is a problem.
To prevent XSS / code injection attacks, PHP best practices recommend using calling mysql_real_escape_string() on incoming values prior to using them in any DB queries. This is what FT2 does (and I think FT1, too). It wards against these type of attacks.
Hope this info helps.
If you're still worried, would it be possible to get some more details? Perhaps an illustration of such a hack could take place (email it to me, rather than post it here!). Security problems are always a BIG concern, so I'll be sure to address it first.
- Ben