Re: [phpGroupWare-developers] SQL injection

phpgroupware-developers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [phpGroupWare-developers] SQL injection

From:	Dave Hall
Subject:	Re: [phpGroupWare-developers] SQL injection
Date:	Mon, 16 Oct 2006 19:19:21 +1000

Hi Sigurd,

On Mon, 2006-10-16 at 10:36 +0200, Sigurd Nes wrote:
> Removing ";" from sql statements would protect from SQL injection - right ?
> Could this be performed by the datacleaner (clean variables fetched by 
> get_var())?

This could be done, but I think there are some legitimate uses of ; in
strings, it is valid English punctuation.  I think it is better that
developers properly escape/caste/sanitize/validate _all_ values before
they are sent to the db, as they are the ones who know what values
should be sent to the db.

Cheers

Dave
-- 
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
e address@hidden
w phpgroupware.org
j address@hidden
sip address@hidden
       _            ____                    __        __             
 _ __ | |__  _ __  / ___|_ __ ___  _   _ _ _\ \      / /_ _ _ __ ___ 
| '_ \| '_ \| '_ \| |  _| '__/ _ \| | | | '_ \ \ /\ / / _` | '__/ _ \
| |_) | | | | |_) | |_| | | | (_) | |_| | |_) \ V  V / (_| | | |  __/
| .__/|_| |_| .__/ \____|_|  \___/ \__,_| .__/ \_/\_/ \__,_|_|  \___|
|_|         |_|                         |_|Web based collaboration platform

[Prev in Thread]

Current Thread

[Next in Thread]

[phpGroupWare-developers] SQL injection, Sigurd Nes, 2006/10/16
- Re: [phpGroupWare-developers] SQL injection, Dave Hall <=

Prev by Date: [phpGroupWare-developers] SQL injection
Next by Date: [phpGroupWare-developers] Modification for mapping table [cvs HEAD]
Previous by thread: [phpGroupWare-developers] SQL injection
Next by thread: [phpGroupWare-developers] Modification for mapping table [cvs HEAD]
Index(es):
- Date
- Thread