[nycphp-talk] Not-so-subtle attack on PHP
David Krings
ramons at gmx.net
Wed Sep 26 22:25:24 EDT 2007
Kenneth Downs wrote:
> *From: http://www.eweek.com/article2/0,1759,2188714,00.asp
>
> Q: How can sites protect themselves against SQL injection?
> A: *The best defense is to design your database-backed Web site properly
> to make sure it always separates SQL code and user data. You basically
> have a choice between programming tools that are specifically designed
> to prevent you from making this kind of mistake and those that allow you
> to get into trouble if you're not careful. Roughly speaking, this
> corresponds to the difference between the newer Microsoft .Net tools and
> their older tools or open source frameworks like PHP.
>
Oh geez, it doesn't matter which prograimming / scripting language is
used. You can make .NEt to be subceptible to SQL injections as easy,
just don't escape user input. Who writes stuff like that?
David
More information about the talk
mailing list