First rule of database security in Webapps is ALWAYS USE PLACEHOLDERS, repeat this 3 times, if you still have interpolated parameters in your SQL, read this again...
Placeholders are those little ?'s that DBI lets you put into your queries and then you place the parameters in the $sth->execute() or use $sth->bind_params() to set their values. They are fast, they let you prepare your statements and cache them (see the prepare_cached() method), and they automagically make everything quoted. NOT useing them opens you up to a large number of evil 'SQL Injection' attacks. I suggest strongly checking the webappsec mailing list as well as the www.owasp.org site for more information which every webapp author should be well aware of. Webapps are HORRIBLY insecure by their very nature, so do not expect that if you don't do a lot to secure them that they will be anything except GIANT gaping security holes in your server!!!! On Tuesday 26 November 2002 10:59 am, Robin Berjon wrote: > Kjetil Kjernsmo wrote: > > and I'm pretty excited about finally get something > > working after the pain I had with Cocoon, so I pretty happy with that! > > > > :-) Yiiiha! > > Welcome to sanity :-) > > > But if there is an easy way to quote every string in the output of a DBI > > query (if that is indeed what's needed), I would be even more happy if > > somebody told me about it. > > I haven't looked into this, but you shouldn't need more than s/\\/\\\\/g > and s/'/\\'/g, or something similar to properly protect your strings, > provided they are enclosed in single quotes (which I think is preferable, > because you wouldn't want content from your DB looking like a variable > being interpolated). > > Another option you might want to explore is using > > $clean = Apache::AxKit::Language::XSP::makeSingleQuoted($string); > > though I must say my memory is a bit dim (but testing it ought to be safe > ;). -- Tod Harter Giant Electronic Brain --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
