FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitising input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitising input [message #172147 is a reply to message #172145] Tue, 01 February 2011 11:26 Go to previous messageGo to previous message
Norman Peelman is currently offline  Norman Peelman
Messages: 126
Registered: September 2010
Karma:
Senior Member
Denis McMahon wrote:
> On 31/01/11 23:39, Norman Peelman wrote:
>> Captain Paralytic wrote:
>>> On Jan 31, 1:17 am, Norman Peelman <npeel...@cfl.rr.com> wrote:
>>>> To the best of my knowledge, the PHP/MySQL library doesn't allow more
>>>> than one sql statement in the same query.
>>> Luckily enough, php is better than your best (as a Google search for
>>> "php multiple queries mysql" would have shown you):
>>> http://php.net/manual/en/mysqli.multi-query.php
>
>> Well then, that seems like an invitation for injection. The standard
>> mysql extension does not.
>
> I'm glad you feel that it is safe to assume that you never need to worry
> about sql injection if coding php / mysql_* functions. You are obviously
> supremely confident that mysql_query() will never be changed to support
> multiple sql statements. I mean, it's obvious that this could never
> happen, right? It's an impossibility. No-one would ever code it as an
> enhancement to to the mysql_* functions, so you don't need to worry that
> some day in the future, when a hosting company updates a server,
> suddenly your websites might become vulnerable because you assumed that
> a function would never change in a backward compatible manner that might
> suddenly expose a vulnerability that everyone (well, you, anyway)
> assumed they were safe from.
>

I never said any such thing - sanitizing input is always important.
As for mysqli allowing it, why open a security hole?

> You carry on thinking that. Personally I think it would be negligent to
> assume that there will never be a future change to or a bug in the
> mysql_query interface that might allow such an attack to succeed and
> that my code will always be protected against sql injection by this
> feature of the implementation.
>

Again, I never said that feature is the (or my) sole protection
against injection.

> So yeah, I always assume that sql injection is something that needs to
> be considered as an attack vector even if the environment that I'm
> currently coding for claims, in its current incarnation, to be
> inherently hardened against that attack vector.
>
> Rgds
>
> Denis McMahon


--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Only SPAM!!!
Next Topic: What *tasks* are hard for PHP?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 02:53:52 GMT 2024

Total time taken to generate the page: 0.04200 seconds