FUDforum: comp.lang.php » Sanitising input

Home » Imported messages » comp.lang.php » Sanitising input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitising input [message #172145 is a reply to message #172143]

Tue, 01 February 2011 00:53

Denis McMahon
Messages: 634
Registered: September 2010

Karma:

Senior Member

On 31/01/11 23:39, Norman Peelman wrote:
> Captain Paralytic wrote:
>> On Jan 31, 1:17 am, Norman Peelman <npeel...@cfl.rr.com> wrote:
>>> To the best of my knowledge, the PHP/MySQL library doesn't allow more
>>> than one sql statement in the same query.
>>
>> Luckily enough, php is better than your best (as a Google search for
>> "php multiple queries mysql" would have shown you):
>> http://php.net/manual/en/mysqli.multi-query.php

> Well then, that seems like an invitation for injection. The standard
> mysql extension does not.

I'm glad you feel that it is safe to assume that you never need to worry
about sql injection if coding php / mysql_* functions. You are obviously
supremely confident that mysql_query() will never be changed to support
multiple sql statements. I mean, it's obvious that this could never
happen, right? It's an impossibility. No-one would ever code it as an
enhancement to to the mysql_* functions, so you don't need to worry that
some day in the future, when a hosting company updates a server,
suddenly your websites might become vulnerable because you assumed that
a function would never change in a backward compatible manner that might
suddenly expose a vulnerability that everyone (well, you, anyway)
assumed they were safe from.

You carry on thinking that. Personally I think it would be negligent to
assume that there will never be a future change to or a bug in the
mysql_query interface that might allow such an attack to succeed and
that my code will always be protected against sql injection by this
feature of the implementation.

So yeah, I always assume that sql injection is something that needs to
be considered as an attack vector even if the environment that I'm
currently coding for claims, in its current incarnation, to be
inherently hardened against that attack vector.

Rgds

Denis McMahon

Report message to a moderator

[Message index]

		Sanitising input By: Mad Hatter on Sun, 30 January 2011 14:09
		Re: Sanitising input By: Michael Fesser on Sun, 30 January 2011 15:00
		Re: Sanitising input By: Denis McMahon on Sun, 30 January 2011 16:35
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 01:17
		Re: Sanitising input By: Captain Paralytic on Mon, 31 January 2011 11:51
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 23:39
		Re: Sanitising input By: Denis McMahon on Tue, 01 February 2011 00:53
		Re: Sanitising input By: Norman Peelman on Tue, 01 February 2011 11:26
		Re: Sanitising input By: Denis McMahon on Mon, 31 January 2011 12:05
		Re: Sanitising input By: P E Schoen on Sun, 30 January 2011 19:47
		Re: Sanitising input By: Felix Saphir on Sun, 30 January 2011 19:55
		Re: Sanitising input By: Ross McKay on Sun, 30 January 2011 21:39
		Re: Sanitising input By: Jerry Stuckle on Sun, 30 January 2011 21:50
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:43
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 04:12
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:01
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 05:10
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:38
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 12:51
		Re: Sanitising input By: Sherm Pendley on Sun, 30 January 2011 22:18
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:52
		Re: Sanitising input By: Sherm Pendley on Mon, 31 January 2011 05:23

Previous Topic:	Only SPAM!!!
Next Topic:	What tasks are hard for PHP?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 13:22:13 GMT 2024

Total time taken to generate the page: 0.03477 seconds