We had some recent SQL injection attacks at my company and upon review
it seems that we have many thousands of lines of PHP (gross, I know)
code that are vulnerable due to unvalidated user input being passed
straight to the db. So I am doing some research and putting together
some suggestions for safer coding standards in how we talk to the db.
The first thing everyone says is that you should escape special chars
from the user input data. But that is a pain and somewhat error prone.
It is easy to miss escaping something.
Then I thought about prepared statements and parameterized queries. I
*think* these are the same thing really, but I'm not sure. Does anyone know?
We will be wanting to implement this in PHP5. It seems like the only way
to get prepared statements with PHP5 is to use the PDO module.
Anyone know of a better way to do this? I did some PHP between 1998 and
2000 and haven't touched it since so I am way out of date on PHP.
--
Tracy R Reed Read my blog at http://ultraviolet.org
Key fingerprint = D4A8 4860 535C ABF8 BA97 25A6 F4F2 1829 9615 02AD
Non-GPG signed mail gets read only if I can find it among the spam.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
