|Subject:||First of all, if a value is numeric,...|
|Summary:||Package rating comment|
Sven Dunemann rated this package as follows:
Sven Dunemann - 2011-08-04 19:01:17
First of all, if a value is numeric, there won't be any char like <, > or " because with this chars value is a string.
Also it is easy to manipulate SESSIONs, so here we can INJECT the database because there is no escape of $username = $_SESSION['user'] which can be faked.
Sorry but this class is very bad and not usefull.
Try next time when you know how to handle injections ;)
omid zarifi - 2011-09-01 11:29:01 - In reply to message 1 from Sven Dunemann
$username just for example.
u not use this variant ( $username ).
i will fix this problems in next version of this class .
omid zarifi - 2011-09-01 11:41:34 - In reply to message 1 from Sven Dunemann
Martin Pircher - 2011-10-03 08:28:41 - In reply to message 3 from omid zarifi
Injection is still possible as you do not escape $br.
Could be easily fixed by mysql_real_escape_string($br).