![]() Second point means if an user has the chance to modify a script, they could write anything there, including calls to sabotage, steal or delete data. But you pass values as parameters and not put them in the SQL directly, right? Same for text used in SQL statements, where user can enter SQL commands in text fields and they are executed. Or other cases you may need to remove brackets to remove function calls. But what if they enter a plugin call instead? Well, using GetAsNumber first may help to convert input to a number first and strip function calls. your user enters a number and you multiply it.
0 Comments
Leave a Reply. |