php-windows Digest 19 Feb 2012 04:03:40 -0000 Issue 4005

php-windows-digest-help Sat, 18 Feb 2012 20:04:39 -0800

php-windows Digest 19 Feb 2012 04:03:40 -0000 Issue 4005

Topics (messages 30775 through 30777):


Re: SQL injection - mysql_real_escape_string()?
        30775 by: Jean Rafael Tardem Delefrati
        30776 by: Jacob Kruger

phpinfo script loading time
        30777 by: Mayur Patil

Administrivia:

To subscribe to the digest, e-mail:
        php-windows-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-windows-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-wind...@lists.php.net


----------------------------------------------------------------------

--- Begin Message ---

Hi, 

If you are specially paranoid, you can use prepared statements (only
mysqli).
If you are even more paranoid, you can use views and stored procedures and
never let the user access (directly) the tables of your database.

Never forget that $_GET functions can carry injections when you make some
queries like "SELECT [...] WHERE id='" . $_GET["id"] . "'".
You can even change from the default $_GET and $_POST to another function
where you can check every input.

There are a lot of things that can be done, so, I suggest you to read this:
The Ten Most Critical Web Application Security Risks -
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf 


Best regards,
Jean Rafael Tardem Delefrati

-----Mensagem original-----
De: Jacob Kruger [mailto:jac...@mailzone.co.za] 
Enviada em: quarta-feira, 15 de fevereiro de 2012 11:56
Para: php-wind...@lists.php.net
Assunto: Re: [PHP-WIN] SQL injection - mysql_real_escape_string()?

Ok, while did find some tutorial material on mysqli, etc., neither my wamp
installation, or my online hosting server seem to support it at all, but
anyway.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message -----
From: "Jacob Kruger" <jac...@mailzone.co.za>
To: <php-wind...@lists.php.net>
Sent: Monday, February 13, 2012 7:38 AM
Subject: [PHP-WIN] SQL injection - mysql_real_escape_string()?


Just wondering if anyone else specifically does more than using 
mysql_real_escape_string function to check freely entered text values before

processing queries to a mysql database as such?

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'


-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---

--- Begin Message --- Will check it out, but for example, one of the first things I do is whenmaking use of something like a row Id passed as a querystring/$_GET item, isuse the is_numeric() function to make sure it's only a number, etc.


Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message -----From: "Jean Rafael Tardem Delefrati" <jeandelefr...@gmail.com>

To: <php-wind...@lists.php.net>
Sent: Wednesday, February 15, 2012 10:00 PM
Subject: RES: [PHP-WIN] SQL injection - mysql_real_escape_string()?

Hi,

If you are specially paranoid, you can use prepared statements (only
mysqli).
If you are even more paranoid, you can use views and stored procedures and
never let the user access (directly) the tables of your database.

Never forget that $_GET functions can carry injections when you make some
queries like "SELECT [...] WHERE id='" . $_GET["id"] . "'".
You can even change from the default $_GET and $_POST to another function
where you can check every input.

There are a lot of things that can be done, so, I suggest you to readthis:

The Ten Most Critical Web Application Security Risks -
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf


Best regards,
Jean Rafael Tardem Delefrati

-----Mensagem original-----
De: Jacob Kruger [mailto:jac...@mailzone.co.za]
Enviada em: quarta-feira, 15 de fevereiro de 2012 11:56
Para: php-wind...@lists.php.net
Assunto: Re: [PHP-WIN] SQL injection - mysql_real_escape_string()?

Ok, while did find some tutorial material on mysqli, etc., neither my wamp
installation, or my online hosting server seem to support it at all, but
anyway.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message -----
From: "Jacob Kruger" <jac...@mailzone.co.za>
To: <php-wind...@lists.php.net>
Sent: Monday, February 13, 2012 7:38 AM
Subject: [PHP-WIN] SQL injection - mysql_real_escape_string()?


Just wondering if anyone else specifically does more than using

mysql_real_escape_string function to check freely entered text valuesbefore


processing queries to a mysql database as such?

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'


--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---

--- Begin Message ---

I have an issue.May be it sound to be funny
but its fact.
I installed Apache 2.2.22 and PHP 5.3.10.
So, when My internet connection is active,
phpinfo script runs fast as well as the
apache index.html.
But when I disconnect from internet,
the compilation of PHP script again goes
slow. I try to find the bug in httpd.conf
and php.ini. But stlill probem persists.
I am using Windows XP sp 3.need help!!

--- End Message ---

php-windows Digest 19 Feb 2012 04:03:40 -0000 Issue 4005

Reply via email to