PHP Classes

I've found three different problems with this class: a) XSS ...

Recommend this page to a friend!

      Select Options  >  All threads  >  I've found three different problems...  >  (Un) Subscribe thread alerts  
Subject:I've found three different problems...
Summary:Package rating comment
Messages:1
Author:Artur Graniszewski
Date:2011-02-25 08:45:44
 

Artur Graniszewski rated this package as follows:

Utility: Insufficient
Consistency: Good
Examples: Good

  1. I've found three different problems...   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2011-02-25 08:45:44
I've found three different problems with this class:

a) XSS attacks possible - you should escape strings taken from the database using htmlspecialchars() for options text names and addslashes() for options values

b) SQL injections possible - there is no mysql_real_escape_string() in your class (because of the design decisions allowing to specify WHERE clause and names of the tables columns)

c) there is a typo: $this->options.="<OPTION VALUE='".$this->oid."''".$this->selected."'>".$this->ovalue."</option>";
- why "''" ?