tag:blogger.com,1999:blog-1531850453904970924.post7986839671851966279..comments2011-06-19T18:20:12.927-04:00RoboJennyhttp://www.blogger.com/profile/04085723385146006020noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-1531850453904970924.post-71660425437735866132011-06-19T18:20:12.927-04:002011-06-19T18:20:12.927-04:00do NOT pass SQL statements to the backend end. YOu have to assume that all input coming from the user is malicious, until you validate and filter it thoroughly.<br /><br />what&#39;s frustrating is your example STILL shows this, 2 years after you post it. So now anyone that doesn&#39;t know better is going to read your post, and you&#39;ve just &quot;tutored&quot; an aspiring web developer to do things insecurely. <br /><br />this is a *great* example of insecure code that hackers like lulzsec and anonymous use to own websites in 2 seconds. <br /><br />Someone with a comp sci degree from a great school like carnegie M should know better.<br /><br />Fix your code!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1531850453904970924.post-87964865852850230502010-06-28T16:28:55.747-04:002010-06-28T16:28:55.747-04:00Hi Robo,<br /><br />is there any way to develop http://www.shirtsmyway.com/design_myshirt.php this type of website in php and jquery.<br /><br />please adviceNarendrahttp://www.blogger.com/profile/16697985954873033043noreply@blogger.comtag:blogger.com,1999:blog-1531850453904970924.post-10534207021683627802010-02-17T08:06:15.645-05:002010-02-17T08:06:15.645-05:00Nice CleavageCrishttp://www.blogger.com/profile/10505714231096373930noreply@blogger.comtag:blogger.com,1999:blog-1531850453904970924.post-21524446208675859232009-08-20T12:55:09.240-04:002009-08-20T12:55:09.240-04:00Wow... very interesting. U directly do the sql update directly from the box itself. Would not it be much more easier to use ajax http.open instead?<br /><br />Not that I&#39;m trying to be an expert or anything but thank ya for the logic you did on how to automatically hide boxy.Andy D. Hajimehttp://www.blogger.com/profile/09075459135863348664noreply@blogger.comtag:blogger.com,1999:blog-1531850453904970924.post-71366825766639346112008-10-26T08:08:00.000-04:002008-10-26T08:08:00.000-04:00Could you email me please? I fear my email to you must have been sent to your bulk/spam folder.<BR/><BR/>I do not like to give out too much information in the comments, but I do want to let you know it's in regards to your BlogHerAds.<BR/><BR/>Laura at BlogHer dot com<BR/><BR/>I look forward to hearing from you!Lauranoreply@blogger.comtag:blogger.com,1999:blog-1531850453904970924.post-9838991261610435862008-10-17T14:37:00.000-04:002008-10-17T14:37:00.000-04:00@Ivan<BR/><BR/>You're very right. I tried to gloss over it in the post, but I do have that marked as something to fix. I wrote it that way at first since I found it easier to debug and test since I could easily swap it out to be various SQL queries to check on it. I fully plan on fixing that problem before I deliver the code. I wrote the post now as opposed to waiting for the polished version since I wanted to get my notes down immediately for the jQuery and Boxy portions, which are new to me.<BR/><BR/>If anyone choose to use my notes for their own applications, I also would suggest only doing it this way to test and then make sure to change it to pass only the parameters and keep the sql in whatever your equivalent of submit_sql.php after you're sure all the commands are working.<BR/><BR/>Thanks for your comment.RoboJennyhttp://www.blogger.com/profile/04085723385146006020noreply@blogger.comtag:blogger.com,1999:blog-1531850453904970924.post-85371520927442965262008-10-17T14:32:00.000-04:002008-10-17T14:32:00.000-04:00That's a security hole isn't it? You're letting the client set the complete sql statement. This allows a malicious user to execute a function on demand via Firebug for example.Ivanhttp://www.blogger.com/profile/00530381404081691368noreply@blogger.com