I don't know anything about PHP, but I do know something about MySQL, web forms, and Java. After reading the whole thread, I do have a couple of things to add.
If PHP supports it, use stored procedures and routines. The use of stored procedures disables the user from doing anything in the DB that's not already there. It also decreases the bandwidth necessary for transferring data. It also adds an extra layer of security by providing some parameter validation. For my Java code, I have a single class for each DB. For example, a production system I wrote uses two MySQL databases that could be located on a single server or on two different servers. There are two classes that each have all the code necessary for connecting to their respective DB. This way there is a single point through which data will be transferred, it provides an API for the application, and allows for much easier code updates. For forms, because I use a Tomcat server, I can use a combination of JSP and Java. The web forms are built dynamically, and form data is sent to a JSP script or a Java CGI. The Java code can then validate the form data (as someone said - always assume it's spoofed) without the use of Javascript such that the user can't see or access the validation code. Also, because the JSP or Java code runs faster than Javascript, the validation process and any other data manipulation that needs to be done does not suck up extra CPU time. With all of this in place, the chances of an attack, or at least a successful one, are very slim. BTW, regarding a prepared statement and a parameterized query. Using Java as an example (again, I know nothing about PHP), it is possible to have a prepared statement that is not parameterized. For example the statement below is not parameterized: GetFileTables = LSDB.prepareStatement( "SELECT * FROM Configuration_has_FileTable WHERE Configuration_idConfiguration=4" ); There are no parameters in the statement that the user can inject data into. This nexat prepared statement IS parameterized: GetFileTables = LSDB.prepareStatement( "SELECT * FROM Configuration_has_FileTable WHERE Configuration_idConfiguration=?" ); The parameter is indicated by the '?' and the caller can theoretically insert anything in there. Both statements are prepared statements, but only the second is parameterized. Allowing users to build SQL queries is always dangerous, because then they can send anything they want to the DB and there's no way you can write code to check for every possible valid SQL statement. PGA -- The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] Paul G. Allen Software Engineer BSIT/SE Quake Global, Inc. 858-277-7290 x285 -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
