We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

URI segments and buffer overflow attack?

June 24, 2011 6:34pm

Subscribe [2]

  • #1 / Jun 24, 2011 6:34pm

    funnEE

    94 posts

    Does using 

    {segment_3}
    protect against buffer overflow attacks?  I did not see any mention to URI segments in security guidelines.  Do I need to use 
    $this->EE->security->xss_clean()

    before using URI segments with the query module?  Before my own php/sql queries?
    Thanks,
    Dave

  • #2 / Jun 27, 2011 6:28am

    John Henry Donovan

    12339 posts

    Hi Dave,

    Below is the answer I gave to you back in March of this year on this thread. All that info is still current

    We would recommend always quoting your variables as below

    {exp:query sql="SELECT DISTINCT title, id
FROM table1
WHERE id IN (SELECT id FROM table2 WHERE name = '{segment_3}')
ORDER BY title ASC"}

    You can find more info in our docs here
    You should always make the extra effort to sanitize your data before it gets fed to the database

    Note also that the query module can only do SELECT statements

    And just because I haven’t seen it in a while I’m linking to this again

    Let us know if that helps?

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register