We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Are segment variables in the weblog entries tag safe?

June 29, 2010 11:02am

Subscribe [2]

  • #1 / Jun 29, 2010 11:02am

    FountainInternet

    53 posts

    Hi

    Is it safe to use segment variables in the weblog entries tag? I want to be sure that it’s not possible for someone to modify a URL segment in such a way that could be used in a SQL injection attack.

    For example:

    {exp:weblog:entries weblog="{segment_2}" url_title="{segment_3}"}

    Let’s say someone modified the third segment to include some SQL code. Is that a potential scenario that could be exploited?

    I’m sure I’m worrying over nothing, but I wanted to check anyway.

    I had similar concerns about dynamic parameters, so I’ve avoided using them for now, just in case.

    Thanks
    Simon

  • #2 / Jul 01, 2010 6:23pm

    FountainInternet

    53 posts

    Ominous lack of response to this. Should I have posted it in one of the other forums?

    Simon

  • #3 / Jul 01, 2010 7:10pm

    Lisa Wess

    20502 posts

    Hi, Simon -

    Yes, they are sanitized and safe.

    If you use them in conditionals, do read troubleshooting conditionals first.

  • #4 / Jul 01, 2010 7:13pm

    FountainInternet

    53 posts

    Thanks Lisa, that’s good to know.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register