[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [phpGroupWare-developers] SQL injection
From: |
Dave Hall |
Subject: |
Re: [phpGroupWare-developers] SQL injection |
Date: |
Mon, 16 Oct 2006 19:19:21 +1000 |
Hi Sigurd,
On Mon, 2006-10-16 at 10:36 +0200, Sigurd Nes wrote:
> Removing ";" from sql statements would protect from SQL injection - right ?
> Could this be performed by the datacleaner (clean variables fetched by
> get_var())?
This could be done, but I think there are some legitimate uses of ; in
strings, it is valid English punctuation. I think it is better that
developers properly escape/caste/sanitize/validate _all_ values before
they are sent to the db, as they are the ones who know what values
should be sent to the db.
Cheers
Dave
--
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
e address@hidden
w phpgroupware.org
j address@hidden
sip address@hidden
_ ____ __ __
_ __ | |__ _ __ / ___|_ __ ___ _ _ _ _\ \ / /_ _ _ __ ___
| '_ \| '_ \| '_ \| | _| '__/ _ \| | | | '_ \ \ /\ / / _` | '__/ _ \
| |_) | | | | |_) | |_| | | | (_) | |_| | |_) \ V V / (_| | | | __/
| .__/|_| |_| .__/ \____|_| \___/ \__,_| .__/ \_/\_/ \__,_|_| \___|
|_| |_| |_|Web based collaboration platform