[wp-hackers] Virtual Multiblog
Andy Skelton
skeltoac at gmail.com
Sun Nov 25 20:03:53 GMT 2007
On Nov 25, 2007 10:29 AM, Max <maxbear at gmail.com> wrote:
> $table_prefix = ereg_replace('^(www\.)', '', $_SERVER['HTTP_HOST']);
> $table_prefix = ereg_replace('\.', '', $table_prefix);
> $table_prefix = ereg_replace('\-', '', $table_prefix);
> $table_prefix = $table_prefix . '_';
At first glance, this looks like very unsafe code. It opens the door
to SQL injection attacks via the Host header. Your server may be
configured in a way that protects against it, but your code could be
very insecure on a lot of servers.
This closes the door:
$table_prefix = preg_replace('/[^a-z0-9]/', '', $_SERVER['HTTP_HOST']);
Tweak it for your specific needs, but don't let any dangerous
characters into your table names.
Cheers,
Andy
More information about the wp-hackers
mailing list