SQL Injection immunity on Ubuntu
Justin M. Wray
wray.justin.ubuntu at gmail.com
Wed May 7 08:26:55 UTC 2008
Dax,
Just as a suggestion, it would be better to be redundent in a case like this. Just because it appears that input has been sanitized else where, I still re-evaluate/clean it before sending it to the SQL server. Just in case something along the way gets altered or a different function causes an error.
In security this is a good practice and will result in far more secure code. You must always double-check user input period.
Another note, don't rely on the front-end to secure the input (things like javascript). Clean the input on the backend. An attacker can easily alter the front-end code, and/or bypass security checks, sending unsanitized input.
Yes, you should even clean/check input from a drop-down.
Hope this helps!
Thanks,
Justin M. Wray
Sent via BlackBerry by AT&T
-----Original Message-----
From: Dax Solomon Umaming <knightlust at ubuntu.com>
Date: Wed, 7 May 2008 16:03:32
To:ubuntu-server at lists.ubuntu.com
Subject: Re: SQL Injection immunity on Ubuntu
On Wednesday 07 May 2008 3:28:19 pm Onno Benschop wrote:
> Fortunately, PHP comes with a lovely function to help you:
> mysql_real_escape_string()
I have been reviewing the PHP Manual's mysql_real_escape_string() before I
started this thread. I just didn't see any need for implementing it since all
inputs are escaped. Now that I know, I have to do some major refactoring.
Thanks for your input.
--
Dax Solomon Umaming
http://blog.knightlust.com/
GPG: 0x715C3547
--
ubuntu-server mailing list
ubuntu-server at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
More information about the ubuntu-server
mailing list