[wp-hackers] Virtual Multiblog

Andy Skelton skeltoac at gmail.com
Sun Nov 25 20:03:53 GMT 2007


On Nov 25, 2007 10:29 AM, Max <maxbear at gmail.com> wrote:
> $table_prefix = ereg_replace('^(www\.)', '', $_SERVER['HTTP_HOST']);
> $table_prefix = ereg_replace('\.', '', $table_prefix);
> $table_prefix = ereg_replace('\-', '', $table_prefix);
> $table_prefix = $table_prefix . '_';

At first glance, this looks like very unsafe code. It opens the door
to SQL injection attacks via the Host header. Your server may be
configured in a way that protects against it, but your code could be
very insecure on a lot of servers.

This closes the door:

$table_prefix = preg_replace('/[^a-z0-9]/', '', $_SERVER['HTTP_HOST']);

Tweak it for your specific needs, but don't let any dangerous
characters into your table names.

Cheers,
Andy


More information about the wp-hackers mailing list