without further checks as to its format
If I do that, I'm doomed, so I won't do that. There's taint mode, and untainting.
Header checking, parameter validation and untainting has to happen (and in a reasonable setup happens) before any database query.
So what if I “inject” that?
You can do that only if I let you. My CGISESSIONID matches /^[0-9A-z]{32}$/; if what you are trying to inject doesn't conform to that, you're out. Matching a nonsensical cookie against that pattern won't execute anything.
Then, for database queries, I use DBI and placeholders, so no SQL injection here either.
--shmem
_($_=" "x(1<<5)."?\n".q·/)Oo. G°\ /
/\_¯/(q /
---------------------------- \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}
In reply to Re^2: What if the bad-guys send nonsense as a session-id?
by shmem
in thread What if the bad-guys send nonsense as a session-id?
by locked_user sundialsvc4
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |