List:General Discussion« Previous MessageNext Message »
From:Michael Dykman Date:February 8 2009 6:13am
Subject:Re: Curious Error, anyone have a guess?
View as plain text  
Are you attempting to escape that string?  If not, you should be The
UserAgent header can't be trusted because every browser vendor has the
liberty to do pretty much what they want to it (there is no consistent
standard) and some browsers (ie. Opera) allow users to set the
UserAgent to any arbitrary string, so it si inevitable that you will
get unsafe input sooner or later.

 - michael dykman

On Sun, Feb 8, 2009 at 12:31 AM,  <mikesz@stripped> wrote:
> Hello mysql,
>
>  On one of my sites, I have a query that logs attempts to access the
>  site by potential bad guys. It has been working for more than a year
>  with out a problem. Today, I got a database error because an
>  unescaped ' in one of the arrays that I collect. When I check the
>  error I found a very curious condition in the useragent log entry.
>
> Here is the excerpt:
>
> ,\'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913
> Firefox/3.0.6',
>
> Notice the backslash in front to the quote delimiter. How did that get
> there? Anybody have a guess?
>
> The database comes from a call to $_SERVER['HTTP_USER_AGENT'];
>
> --
> Best regards,
>  mikesz                          mailto:mikesz@stripped
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>
>



-- 
 - michael dykman
 - mdykman@stripped

 - All models are wrong.  Some models are useful.
Thread
Curious Error, anyone have a guess?mikesz8 Feb
  • Re: Curious Error, anyone have a guess?Michael Dykman8 Feb