On Sunday 21 March 2004 06:39 pm, Chris Shiflett wrote: > --- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > > > To be clear: make sure the data that the user submitted only > > > contains the characters you think are valid (don't bother trying > > > to guess malicious characters - you're sure to miss one) and is a > > > valid length. Once you've done this, and your design helps you to > > > make sure that this step can't be bypassed by the user, you're > > > protected against SQL injection. > > > > Or even better: Use only prepared statements. > > Can you explain that (and defend it)?
Maybe he's talking about stored procedures? "Banks, for instance, use stored procedures for all common operations. This provides a consistent and secure environment, and procedures can ensure that each operation is properly logged. In such a setup, applications and users would not get any access to the database tables directly, but may only execute specific stored procedures." - http://www.mysql.com/doc/en/Stored_Procedures.html > > Chris > > ===== > Chris Shiflett - http://shiflett.org/ > > PHP Security - O'Reilly > Coming mid-2004 > HTTP Developer's Handbook - Sams > http://httphandbook.org/ > PHP Community Site > http://phpcommunity.org/ -- Evan Nemerson [EMAIL PROTECTED] http://coeusgroup.com/en -- "To achieve adjustment and sanity and the conditions that follow from them, we must study the structural characteristics of this world first and, then only, build languages of similar structure, instead of habitually ascribing to the world the primitive structure of our language." -Alfred Korzybski -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
