|
|
Posted by noone on 02/05/06 00:10
Iván Sánchez Ortega wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> noone wrote:
>
>
>>$sqli = "insert into tableA values ";
>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>
>
> PHP security 101: never ever put values posted by a user directly into a DB
> query, without checking them, escaping them, and treating them as nuclear
> waste.
>
> The above is a very clear example of a SQL injection vulnerability.
>
> - --
goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".
You also want to use a platform that is nearly impossible to crack. My
choice is OpenVMS from HP - formerly Compaq - formerly Digital Equipment
Corp (aka DEC).
more scalable and has REAL clusters - not these pretend clusters like
Veritas and Microsoft (bbbbarrfff).
I also prefer Apache/Oracle Rdb - formerly DEC/Rdb and not to be
confused with Oracle RDBMS (8/9/10g) and PHP.
M.
> - ----------------------------------
> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> http://acm.asoc.fi.upm.es/~mr/
> Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
> 5.1.2-1 generating this signature.
> Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFD5P3u3jcQ2mg3Pc8RApygAJsGphJajK7EBcNSs3mgvb6LJ2oEigCfc4Md
> 8oq3CdWHeuGdAbzmVKbqEtY=
> =3ktL
> -----END PGP SIGNATURE--
Navigation:
[Reply to this message]
|