[wp-hackers] Virtual Multiblog
Kimmo Suominen
kimmo at global-wire.fi
Mon Nov 26 07:08:27 GMT 2007
It doesn't matter what you have in DNS. The Host: header in the
HTTP request doesn't have to match your DNS information.
Best regards,
+ Kimmo
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
On Mon, Nov 26, 2007 at 11:24:47AM +0800, Max wrote:
> Hello,
>
> Thanks a lot.
>
> Yes, that's right. If you config your dns as wildcard, you will have
> security, so I usually don't allow wildcard in dns.
>
> Max
>
> On Nov 26, 2007 4:03 AM, Andy Skelton <skeltoac at gmail.com> wrote:
> > On Nov 25, 2007 10:29 AM, Max <maxbear at gmail.com> wrote:
> > > $table_prefix = ereg_replace('^(www\.)', '', $_SERVER['HTTP_HOST']);
> > > $table_prefix = ereg_replace('\.', '', $table_prefix);
> > > $table_prefix = ereg_replace('\-', '', $table_prefix);
> > > $table_prefix = $table_prefix . '_';
> >
> > At first glance, this looks like very unsafe code. It opens the door
> > to SQL injection attacks via the Host header. Your server may be
> > configured in a way that protects against it, but your code could be
> > very insecure on a lot of servers.
> >
> > This closes the door:
> >
> > $table_prefix = preg_replace('/[^a-z0-9]/', '', $_SERVER['HTTP_HOST']);
> >
> > Tweak it for your specific needs, but don't let any dangerous
> > characters into your table names.
> >
> > Cheers,
> > Andy
More information about the wp-hackers
mailing list