[nycphp-talk] php in securityfocus 218
Hans Zaunere
hans at nyphp.org
Wed Oct 22 11:47:17 EDT 2003
David Mintz wrote:
> On Tue, 21 Oct 2003, Chris Snyder wrote:
>
>
>><snip />
>>So we can kill this thread, is it safe to say that three best practices
>>here are:
>>
>>1) always check user input to make sure it's the type and size of data
>>that you expect
Agreed. Although, you can eat up a lot of time/code/performance checking incoming data. People deal with this in various ways and with varying levels of paranoia, but I've always liked the 'if bad data only effects that user's data, then that's his problem.'
It's also good to know where to validate the data, ie as it's coming from the outside world (browser), being passed around within your logic, or finally getting committed into a data base. I've always like the first one. Being conscious of this allows you to realize the difference between validating data as you should, ie from untrusted, external sources, and validating data within your application, ie programming mistakes. Kind of the the hard shell, soft chewy center model.
>>2) use mysql_real_escape_string() if possible, or addslashes() to escape
>>any quotes in the data
>
> Will the PEAR DB's quote($value) do as well, do ya think?
>
> Also, if you use PEAR's prepare("select * from foo where bla = ?") and
> execute($sth,array('Gack')), you get quoting/escaping automatically,
> right?
PEAR should handle all this, regardless of the database itself. That's the beauty of a DB abstraction, but... do you trust it? :)
>>3) always encapsulate field values in quotes in your queries
>>
>
> Yeah, I've read somewhere that it never hurts to quote even numeric field
> value types. That's standard rather than MySQL-specific, no?
Yeah, in fact Oracle will often curse you if you don't use single quotes everywhere (not that Oracle uses SQL standards). That said, and this could probably be viewed as a bad habit, when working with mysql:
$somenumber = (int) $inputnumber;
mysql_query("SELECT * FROM somedb.sometable WHERE numcol=$somenumber", $MYDB);
Quick, secure, and dirty,
H
More information about the talk
mailing list