> *Always* validate your data. If you validate your data and never trust
> anything which comes from the client side of the connection, your
> problem goes away. I mean, you wouldn't pass user data to exec() 
> or fopen() without some serious checking, would you? ;)
> Sure, PHP could try to prevent every possible problem from cropping up,
> but that would make the language pretty useless. It's up to the coder
> to not program security flaws. 
> -- 
>  Torben Wilson <[EMAIL PROTECTED]>
>  http://www.thebuttlesschaps.com
>  http://www.hybrid17.com
>  http://www.inflatableeye.com
>  +1.604.709.0506

I understand you try to 'protect' your own product, but you have to
stay a bit realistic about some things. Ofcourse I check the input.
But you know... there's absolutely nothing wrong with allowing
quotes to be stored in the database. It's just that awful 'feature'
that makes it rather dangerous to do. If that feature/bug was
documented _anywhere_ it would still not be good, but at least
someone would know that PHP does this. But no... it's not
documented, not anywhere! You can't check user input on stuff you
don't know it can harm anything. Like I said... quotes are very
normal to be allowed in the database.

It would be a good thing if you guys do something of:

1. Good rid of the bug(/feature) right a way or
2. Document it clearly. Eg. in the documentation of odbc_execute().


* R&zE:

-- Renze Munnik
-- DataLink BV
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- Stationsplein 82
-- 2011 LM  HAARLEM
-- Netherlands
-- http://www.datalink.nl

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to