LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] php

[ILUG] php

Bryan O'Donoghue typedef at eircom.net
Tue May 31 16:42:27 IST 2005 

Kenn Humborg wrote:
>>> But - using multiple statements in single calls is an invitation for
>>>injection attacks. 
>>
>>How so ?
>>
>>Once you validate your user input doesn't have SELECT, "DELETE"...
>>INSERT DROP or other harmful statments.... how does it make a difference
>>*how many* statments in the one execute operate on this data ?
> 
> 
> Does PHP require that you manually insert arguments in SQL strings?
> 
> Surely you can use something like ADO's positional parameters
> (warning! VB code):
>    cmd.CommandText = "SELECT a FROM b WHERE ID = ?"
>    cmd.CommandType = adCmdText
>    cmd.Parameters.Append cmd.CreateParameter("ID", 
>                             adChar, adParamInput, , "fred")


*arrggh*

it burns...

> where "fred" could be user-supplied data.
> 
> It then becomes the database access layer's problem to figure
> out how to safely quote the arguments.
> 
> ADO.NET does one better by using named arguments, so you don't need
> to manually keep the Parameters.Append statements in the same order
> as the '?'s in the query string.
> 
> Please tell me PHP has a database access library that provides this
> type of facility...

It should be relatively easy to do in virtually any language.... but
(why) would you want to do it that way ?

There may even be a mod_ado for php, I don't know about ADO..

I guess if you were really *really* determined... you could have a
Postgre function or MySQL (version 5?) stored procedure *validate* it's
user input.

But... wouldn't it just be a whole lot simpler (and less wasteful) to
validate the data ... as soon as it's input ?

Moreover... I'm still not seeing a huge advantage in using automagic ADO
parameters... at all really.

Perhaps you could give some more examples ?

--

Best Regards,
Bryan

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell