> question 1
> If you use the PHP filters & sanitizations, and you plan on using PDO
> with binded params, are you absolutely safe? And if not, why? What are
> the other ways for them to still make it in - even with PD0 and binded
> params properly in place? Just curious.

There are no known exploits or techniques on injecting into
parameterized queries.

> question 2
> If you use the PHP filters & sanitizations, and for some reason, you
> CANNOT use PDO, what do you do against those situations where the user
> input is expected to be coming as a string and it's perfectly OK for
> it to be in say, around 1000 chars! For example, you are receiving a
> guest book comment. Use b64? But isn't with b64 search capability go
> down the drain? So we basically give up on search? Can we not come up
> with a solution which allows the search but yet still safe? What do we
> do?

Search depends on your search, for example if i have 1000 chars, i may
not want to search on all the words, only some key words, in which
case b64 doesn't mean that you can't search. Doing full text index on
a 1000char field in a decently large database can be quite hazardous
to performance... On another note, you can still insert as clear text:

insert into foo (bar, pub) values(b64d("c2hvdHM="), b64d("YmVlcg=="))

it doesnt matter what is encoded in the b64, what matters is that it
is NOT code that SQL will execute, you see what i'm saying?

You can be decently secure with escaping, but again, it fails as a
security solution. If you can do neither, then set the default char
set on the page, database and even in php do a utf8_decode or
something, validate, check, escape and you will be reasonably secure.

> question 3
> is there really no way to stop the user input's if char set is not
> utf8? Can we not enforce the userinput to be in UTF8 only and reject
> all input? If there is such a way, wouldn't we better of using
> mysq-_real_escape to allow both search and be safe? Or is there really
> no way to understand the incoming user input char set by PHP?

Set the default encoding on page and db, check in php

> question 4
> do you have any white paper or any article that covers your most
> recommended solution against lengthy user input while you still want
> the search to work? you seem to know a lot and I think you should have
> at at least an article where we people can discuss the article at the
> bottom? It's always useful. If you don't have one, I strongly
> recommend you come up with one cause I'm sure it will be useful.

I do not, however i am thinking about talking to Rasmus, to see if
maybe i can get him to see the same issue with regards to the language
that i am seeing, I'll go from w/e comes out of that.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to