Is there a possible vulnerability in forms coded manually and included in a sNews page with the [include] feature?
I don't mean XSS vulns of course because I secured my forms against those.
This may seem like stupid question, but what about SQL injections? Can those forms be used to access the database? And if so, is there an easy way to secure them further?
Assuming your manually-coded (customized) forms are not 'native' to sNews (meaning they are from some other external source and not included with the sNews package), then it all depends on what you are doing with the data being collected by your customized forms.
For example, the data being collected by sNews's
function comment is subjected to a pretty thorough cleaning before it gets inserted into the comments table in your sNews database, so it's not likely your going to have malicious code getting into the comments d-base table.
If the data collected by your customized (manually-coded) forms is being inserted (saved to) a table in your database, you are wise to ensure the
$_POST values for each data type are being adequately checked and cleaned before it is sent to the database table via your INSERT or UPDATE queries.