[nycphp-talk] Not-so-subtle attack on PHP
Jake McGraw
jmcgraw1 at gmail.com
Wed Sep 26 13:53:02 EDT 2007
Oh snap!
Personally, I like the flexibility PHP gives you in determining what
you can put in your queries and with PHP 5+, using the filter
functions and querying a MySQL DB with mysqli is a full proof method
of preventing SQL injection.
- jake
On 9/26/07, Kenneth Downs <ken at secdat.com> wrote:
>
> From: http://www.eweek.com/article2/0,1759,2188714,00.asp
>
> Q: How can sites protect themselves against SQL injection?
> A: The best defense is to design your database-backed Web site properly to
> make sure it always separates SQL code and user data. You basically have a
> choice between programming tools that are specifically designed to prevent
> you from making this kind of mistake and those that allow you to get into
> trouble if you're not careful. Roughly speaking, this corresponds to the
> difference between the newer Microsoft .Net tools and their older tools or
> open source frameworks like PHP. --
> Kenneth Downs
> Secure Data Software, Inc.
> www.secdat.com www.andromeda-project.org
> 631-689-7200 Fax: 631-689-0527
> cell: 631-379-0010
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
More information about the talk
mailing list