can hackers send queries from other servers?

auday1982

hello guys

here is another newbie question , i am learning and really improved , a bit slow but now i am doing good with classes and i live to use class::soemthing , and the define function

my question is

if i have a function like this

function selectfromtopics($thedbquery) {

do whatever
}

i am going to connect to database , select topics (db table) and EXECUTE the query

can the hackers use the below php code from outside my server

dbclass::selectfromtable(badbadquery);

i think they can use include to get my file , then run the bad query

laserlight

auday1982 wrote:
i think they can use include to get my file , then run the bad query

All they would get is the file that is processed by the web server.

Ashley_Sheridan

Yeah, the only time you need to worry about XSS (cross-site scripting) attacks is where you are using unsanitised input directly from the outside world, i.e. using a $POST, $GET or $_REQUEST variable directly in your query, etc without first checking to see if it is within what you would recognise as an allowable value.