[Phpwm] site critique please
sukh virdee
sukh_virdee at hotmail.com
Tue Jan 16 21:47:48 GMT 2007
I always use *_escape_string.
Not sure what you mean by the term "prepared statements"... Can anyone clear
up the confusion?
Thanks,
Sukh
>From: David Goodwin <david at codepoets.co.uk>
>Reply-To: West Midlands PHP User Group <phpwm at mailman.lug.org.uk>
>To: West Midlands PHP User Group <phpwm at mailman.lug.org.uk>
>Subject: Re: [Phpwm] site critique please
>Date: Tue, 16 Jan 2007 17:51:26 +0000
>
>Dave Holmes wrote:
>>Phil,
>>
>>David just illustrated a symptom of the problem, in a kind non obtrusive
>>way.
>>
>>A more malicious hacker would be tempted to try embedding commands in the
>>SQL, in particular commands which could grant user rights and access to
>>poorly configured servers.
>>
>>What David illustrated is you are taking parameters direct from the URL
>>and
>>firing them straight at the database, when you should be performing a
>>sanity
>>check or clean up.
>>
>>In addition you should also consider the use of add slashes to negate this
>>problem as this would escape the apostrophe and MySQL would treat it as a
>>string.
>
>From reading various posts, there are a number of reasons why you
>_shouldn't_ use addslashes (or magicquotes).
>
>Use either prepared statements, or the database specific *_escape_string
>
>Thanks
>Davi.
>
>--
>David Goodwin
>
>[ david at codepoets dot co dot uk ]
>[ http://www.codepoets.co.uk ]
>
>_______________________________________________
>Phpwm mailing list
>Phpwm at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/phpwm
_________________________________________________________________
MSN Hotmail is evolving – check out the new Windows Live Mail
http://ideas.live.com
More information about the Phpwm
mailing list