The format of $server_GMT Or: data sanitization

gromm · **Joined:** Thu Jun 05, 2008 5:35 pm **Posts:** 37

We just started using A2Billing v1.8.1 and I was trying to figure out what format A2Billing actually uses for the definition of $server_GMT, when I realized that it was accepting *any* value in *any* format.

This of course, was not helpful. Neither was any discussion in this forum.

And I couldn't help but notice that when a program accepts a value in any format like that, that there's no data sanitization in that program. And it really makes me wonder whether or not I want to use this billing system, which has its own little customer signup form that's publicly available on the internet for just anyone to sign on as Little Bobby Tables...

But of course, my actual question was "What's the format of $server_GMT?"

stavros · **Posted:** Mon Dec 13, 2010 12:52 pm

gromm wrote:

But of course, my actual question was "What's the format of $server_GMT?"

A quick check of the code indicates it must match one of the entries in the cc_timezone table.

Quote:

And it really makes me wonder whether or not I want to use this billing system, which has its own little customer signup form that's publicly available on the internet for just anyone to sign on as Little Bobby Tables...

I too would like to see pervasive use of parameterised queries, which would make injection attacks impossible. It's a big job to retrofit them though.

provided by Star2Billing S.L.

The format of $server_GMT Or: data sanitization

Who is online