2008/3/24 14:48:47
|
---|
|
Useful info for developers (XSS & SQL Injection)I've put together a few of the documents I've been reading over the last month or so.
they are documents that are useful in understanding and preventing SQL Injection & XSS. thought i'd share them with you as they have helped me understand a lot more. you can download them from my new site (still under construction) http://www.g7poo.co.uk/modules/wfdownloads/viewcat.php?cid=3 |
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together! |
2008/3/24 15:00:04
|
---|
|
Re: Useful info for developers (XSS & SQL Injection)Many thanks - this will certainly be useful.
Is this information possible to add to the new downloads site as well? |
2008/3/24 17:23:08
|
---|
|
Re: Useful info for developers (XSS & SQL Injection)Really, impressive Vaughan, THANKS
These documents are coming at a great time. 1/2 off-topic: There is a way to export those files to PDF documents to style world editor?. |
2008/4/5 8:07:13
|
---|
|
Re: Useful info for developers (XSS & SQL Injection)I see we've been reading some of the same documents
I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though. Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states Quote:
sprintf() accomplishes the same thing. Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go - $db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text); with at least 1 parameter required. Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing. |