http://bbpress.org/forums/ bbPress support forums Topic: PHP Injection en Sun, 07 Sep 2008 20:41:39 +0000 http://bbpress.org/forums/topic/php-injection#post-16493 Tue, 27 May 2008 21:50:38 +0000 NicoMS 16493@http://bbpress.org/forums/ <p>chrishajer is right - bbPress probably wouldn't have released without some tightly knit coding to escape malicious scripts as a standard practice. Though, if you do want to delve deeper into guarding against attacks, there are some pretty handy tutorials on managing databases here: <a href="http://www.microsoft.com/hellosecureworld7" rel="nofollow">www.microsoft.com/hellosecureworld7</a> </p> http://bbpress.org/forums/topic/php-injection#post-16402 Thu, 22 May 2008 16:34:40 +0000 chrishajer 16402@http://bbpress.org/forums/ <p>The invitation to put code in backticks is actually the <strong>least</strong> of your worries. Anything in backticks gets escaped and displayed differently. You don't want to hack that function to exclude backticks. Removing the function wouldn't help with what you're worried about.</p> <p>You need to be concerned with input that is <strong>not sanitized</strong>, not input that is escaped in backticks.</p> <p>I think bbPress has a very good security track record. There have been a couple problems in the past year (one <a href="http://securitydot.net/vuln/exploits/vulnerabilities/articles/21592/vuln.html">XSS</a> and <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3244">one SQL injection</a> I know of) but in general bbPress has been very secure. I don't think you have to worry about getting hacked when using it. The software is written by professionals. </p> http://bbpress.org/forums/topic/php-injection#post-16390 Thu, 22 May 2008 08:59:03 +0000 mystifier 16390@http://bbpress.org/forums/ <p>I like the idea of adding a BB to a Wordpress website and BBPress offers good integration but, having had one website previously screwed with a Visitor's Book, I am a bit paranoid about PHP Injection.</p> <p>Since there is actually an invitation to put code between backticks, how secure is it against injection?</p> <p>Is there a simple hack to exclude backticks? </p>