Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

› WebAssist Forums › Data Bridge › DataAssist › Penetration test findings - disallow special characters in insert/update behaviors

View all replies to this thread

Penetration test findings - disallow special characters in insert/update behaviors

Thread began 4/09/2022 9:56 am by Mags | Last modified 4/12/2022 4:41 pm by Mags | 1626 views | 13 replies

4/11/2022 3:23 pmRay BorduinWebAssist

I see the issue. The problem stems from you using a session variable that is set on the login page from the database and displaying it.

The values set from the login page aren't encoded by default like values displayed from the recordset are. I think the best solution would be to just add the encoding when the value is displayed. So on line 170 of my-account.php instead of:

echo $arr[0];

use:

echo htmlspecialchars($arr[0]);

Did this help? Tips are appreciated...

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.