Re: Useful info for developers (XSS & SQL Injection) |
by skenow on 2008/4/5 8:07:13 I see we've been reading some of the same documents ![]() I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though. Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states Quote:
sprintf() accomplishes the same thing. Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go - $db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text); with at least 1 parameter required. Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing. |
Re: Useful info for developers (XSS & SQL Injection) |
by GibaPhp on 2008/3/24 17:23:08 Really, impressive Vaughan, THANKS ![]() These documents are coming at a great time. 1/2 off-topic: There is a way to export those files to PDF documents to style world editor?. |
Re: Useful info for developers (XSS & SQL Injection) |
by davidl2 on 2008/3/24 15:00:04 Many thanks - this will certainly be useful. Is this information possible to add to the new downloads site as well? |
Useful info for developers (XSS & SQL Injection) |
by Vaughan on 2008/3/24 14:48:47 I've put together a few of the documents I've been reading over the last month or so. they are documents that are useful in understanding and preventing SQL Injection & XSS. thought i'd share them with you as they have helped me understand a lot more. you can download them from my new site (still under construction) http://www.g7poo.co.uk/modules/wfdownloads/viewcat.php?cid=3 |