Posted by Adrienne Boswell on 05/23/07 07:23

Gazing into my crystal ball I observed Toby A Inkster
<usenet200703@tobyinkster.co.uk> writing in
news:0o3di4-s96.ln1@ophelia.g5n.co.uk:

> Adrienne Boswell wrote:
>> wayne:
>>
>>> As I understand PHP, the programmer must check each field for valid
>>> input characters. Wouldn't this keep hackers at bay?
>>
>> Not necessarily. A determined hacker can get past server side
>> checks, if the check is not strong enough. A good example of that is
>> SQL injection, where the page is using dynamic SQL, and the developer
>> is either not using stored procedures, or is not testing for single
>> quotes in input fields.
>
> Surely, "not testing for single quotes" falls into the category of not
> "check[ing] each field for valid input characters"?
>

You would be surprised - there's stored procedures where it doesn't
matter, and there's replacing single quotes with another character, a
tidle is often a choice. Some developers are working with Access
databases, and don't know how/what a stored procedure is. If the
developer doesn't write it into a function, and has to write field =
replace(field,"'","~") a whole bunch of times, they can get lazy and
forget one - for example a phone number. The developer thinks "Oh, phone
numbers don't have single quotes, and no one is going to put a single
quote in a phone number, so no need for a check" -- and that's where the
injection takes place.

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

[Back to original message]