Re: Useful info for developers (XSS & SQL Injection) |
Subject: Re: Useful info for developers (XSS & SQL Injection) by skenow on 2008/4/5 8:07:13 I see we've been reading some of the same documents ![]() I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though. Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states Quote:
sprintf() accomplishes the same thing. Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go - $db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text); with at least 1 parameter required. Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing. |