[nycphp-talk] PHP Vulnerability
Chris Shiflett
shiflett at php.net
Fri Dec 17 16:35:15 EST 2004
--- Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> If I expect something to be an integer, it better be an integer.
> If I had to accept a file name, it wouldn't be allowed to have
> double periods or slashes in it. I tend to check for length also.
This is a very good practice. Like Dan, I also don't like the idea of
relying on something like addslashes() to protect against SQL injection.
Data should be both filtered and escaped, not just escaped.
In fact, I have a very high opinion of the principle of defense in depth,
which is just a fancy way to say that redundancy is a good thing, even in
terms of security safeguards. It's nice to have a backup check, just in
case you screw up when writing your code. Not that any of us do that. :-)
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly HTTP Developer's Handbook - Sams
Coming Soon http://httphandbook.org/
More information about the talk
mailing list