[wp-hackers] Virtual Multiblog

Max maxbear at gmail.com
Mon Nov 26 03:24:47 GMT 2007


Hello,

Thanks a lot.

Yes, that's right. If you config your dns as wildcard, you will have
security, so I usually don't allow wildcard in dns.

Max

On Nov 26, 2007 4:03 AM, Andy Skelton <skeltoac at gmail.com> wrote:
> On Nov 25, 2007 10:29 AM, Max <maxbear at gmail.com> wrote:
> > $table_prefix = ereg_replace('^(www\.)', '', $_SERVER['HTTP_HOST']);
> > $table_prefix = ereg_replace('\.', '', $table_prefix);
> > $table_prefix = ereg_replace('\-', '', $table_prefix);
> > $table_prefix = $table_prefix . '_';
>
> At first glance, this looks like very unsafe code. It opens the door
> to SQL injection attacks via the Host header. Your server may be
> configured in a way that protects against it, but your code could be
> very insecure on a lot of servers.
>
> This closes the door:
>
> $table_prefix = preg_replace('/[^a-z0-9]/', '', $_SERVER['HTTP_HOST']);
>
> Tweak it for your specific needs, but don't let any dangerous
> characters into your table names.
>
> Cheers,
> Andy
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list