NYCPHP Meetup

[Austin Smith]

I thought I was pretty clear, that query was an example of what many newbies
do, not what I would do (... so they don't blow their brains out with things
like ...) exposing a vulnerability and almost certainly exposing themselves
to copy-paste repetition. It certainly wasn't shorthand, and I've seen it a
thousand times.

On Fri, Apr 25, 2008 at 8:49 AM, Daniel Convissor <
danielc at analysisandsolutions.com> wrote:

> On Thu, Apr 24, 2008 at 07:34:50PM -0400, Austin Smith wrote:
>
> > Further, I've long wanted to write a very simple set of flexible helper
> > functions for PHP newbies so they don't blow their brains out with things
> > like mysql_query("insert into blog_entries values(0, "{$_POST['title']}",
> > "{$_POST['body']}");
>
> Fortunately, you haven't done so yet and thereby introduce the world to
> another SQL Injection attack and path disclosure vulnerability. :)  You
> have to escape input into the query and ensure $_POST variables actually
> exist before using them to avoid PHP notices.
>
> Of course, you can say you were just posting short hand.  But you were
> being pretty specific in your example.
>
> --Dan
>
> --
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>            data intensive web and database programming
>                http://www.AnalysisAndSolutions.com/
>  4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080425/e4d19850/attachment.html>