NYCPHP Meetup

[nycphp-talk] Not-so-subtle attack on PHP

csnyder chsnyder at gmail.com
Wed Sep 26 14:04:04 EDT 2007


On 9/26/07, Kenneth Downs <ken at secdat.com> wrote:
>
>  From:
> http://www.eweek.com/article2/0,1759,2188714,00.asp
>
>  Q: How can sites protect themselves against SQL injection?
>  A:  You basically have a choice between programming tools that lock you
>  into proprietary architectures and those that allow you to incorporate new
>  open source libraries and tools as they become available.

There, fixed that for them.

If your PHP code isn't preventing SQL injection then use one of the
many extensions or libraries that prevents it... or write your own.

My personal favorite:
public function esc( $value ) {
  return mysql_real_escape_string( $value, $this->db );
}

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list