As you may know from a few other issues I posted in, I'm not very knowledgeable in programming, but I felt this question may be asked by others and so posted it.

First off I am aware of the potential for SQL injection attacks through PHP, but depending on the code being used, is there any risk in simple validation that first escapes the field to remove any nasty characters, and then say, sums the fields together? Is there something I am overlooking that is really open to attack even if you escape the strings?

The reason I am asking this is that I am sure I am not alone in having just about enough knowledge to cobble together a few lines of PHP to do some extra validatory function, but certainly lack the knowledge to quickly and easily put together a module to perform a small check on the data being used!

Thanks for your help,
Chris

Comments

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented

I doubt there is much risk in code that you personally would put together. Drupal protects you regarding SQL injection as long as you use the Drupal database functions and only use the values from $form_state['values'] to do your calculations. The danger of these fields is the mere scope of what you can do with them. An example:

db_query("DROP DATABASE drupal");

Such allows any user that has access to these fields to completely destroy your site. As long as access is properly restricted to the fields themselves, you don't have too much to worry about.

zpyder’s picture

zpyder CreditAttribution: zpyder commented

Thank you, short and clear information that answers the question perfectly. Thanks again for the webform modules and the excellent support you provide!

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.