[nycphp-talk] Not-so-subtle attack on PHP
Kenneth Downs
ken at secdat.com
Wed Sep 26 14:10:30 EDT 2007
Jake McGraw wrote:
> Oh snap!
>
> Personally, I like the flexibility PHP gives you in determining what
> you can put in your queries and with PHP 5+, using the filter
> functions and querying a MySQL DB with mysqli is a full proof method
> of preventing SQL injection.
>
> - jake
>
>
Me too.
Nobody ever notices this, but the name ought to give it away, "SQL
Injection". Not "PHP Injection".
The root cause of the SQL injection vulnerability lies in the use of the
database, not the code that accesses it.
Applying security in the database renders you structurally immune from
SQL injection.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
More information about the talk
mailing list