View Single Post
  #16  
Old 29th May 2013, 08:29
remy74 remy74 is offline
Junior Member
 
Join Date: May 2013
Posts: 16
Thanks: 9
Thanked 6 Times in 4 Posts
Smile

Quote:
Originally Posted by Ben View Post
Good work, seems to be an interesting plugin.

But...



Eventhough this was just sample code, would you mind validating and escaping all external input, e.g. here to validate $_REQUEST['id'] for beein just numbers or characters what ever will be the right syntax, and if the valid charset could lead to sql injection or similar, you should escape it additionally.
Btw this should happen for all data that you can not control, in this case also for data you gather from and to the exchange side.
Yes, we knows that. In all forms, we put validators, and when we extract data from Exchange (ActiveDirectory) we also validate the format.

We try our best, but we will also need other "eyes" to be sure that all is conform for ISPConfig and the security.
Reply With Quote