> Could you elaborate on that? How would a person be able to inject code
because
of an improperly escaped field?
And why would this be a risk with a PHP generated .htm file and not a
static .htm
file with similar escaped field?
Or for that matter, would a .php file be immune from this exploit?
These vunrubilities do exist however it is a little different because
you are adding a scripting language to a filetype that is not ment to
have a scripted language and is not default behavior.
However, most clients should always make sure to escape a field but here
is the problem.
Someone sends there user agent as: <?php echo('hi); ?> (would most
likely be worse) and then all of a sudden for your useragent in a log
writer could show that. Now when that is parsed through php, obviously
you are going to get "hi".
Now when the useragent is used in php you can not execute anything
because you are either parsing the value from the database or just using
the $_SERVER variable to retrieve the string. Now I say string because
all PHP things of it is that it is a string.
I hope that helps and clarifies things a bit.
Mike