<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/22/2013 12:14 PM, Andy Borgmann
wrote:<br>
</div>
<blockquote
cite="mid:CABGEp7p6nJ_a3engGnp8LdEAw7RMPZ6qugwcGQYJBKTg1BQ8DQ@mail.gmail.com"
type="cite">
<div><span style="font-family:arial,sans-serif;font-size:13px">"I'm
decent with PHP, it's what I do almost all day every day, and
I find new ways to do stupid things with it all the time.
Having torn apart a few PHP frameworks like CodeIgnitor and
Kohana, as well as some Ruby on Rails apps, I think frameworks
provide a false sense of security and make it even easier to
do stupid things quickly." - this is why I prefer not to use
Frameworks like CodeIgnitor but do custom coding. The thought
(maybe wrong), is that hackers look for what is easiest so
they will try stuff that breaks CodeIgnitor and WordPress and
phpBB and the like more than trying to figured out the
intricacies of the custom code.</span><br>
</div>
</blockquote>
<br>
You can mitigate that and save yourself a lot of time and effort,
not to mention save yourself the reinvention of the wheel, by
adopting a framework and getting to know it well.<br>
<br>
If you do what most do, and just pick something and use it, you're
in for a bad ride. Read and understand the framework you use. That
also means don't pick one that you can't read. If it's really a big
deal than instead of writing custom frameworks for every
application, create your own standard framework that you use as the
basis for the things you create, so that you're only solving a
problem one time.<br>
<br>
<blockquote
cite="mid:CABGEp7p6nJ_a3engGnp8LdEAw7RMPZ6qugwcGQYJBKTg1BQ8DQ@mail.gmail.com"
type="cite">
<div>
</div>
<div><span style="font-family:arial,sans-serif;font-size:13px">I'll
have to look into the Binary injection stuff. I always just
tried the ' OR 1=1' type of stuff to make sure it was secure.
Thanks for that.</span></div>
</blockquote>
<br>
Ah, injection is a very complex thing. To avoid it:<br>
<ol>
<li>Do not allow identifiers to come from untrusted sources.</li>
<li>Sanitize all data that comes from an untrusted source so that
it complies with the rules for the data. If something is
supposed to be an integer, make sure it's an integer and not a
string, and vice versa.</li>
<li>Properly quote all identifiers.</li>
<li>Properly escape and quote all values for the DBMS in use.</li>
</ol>
<p>If you follow those rules, you cannot have injection, because you
can't break out of values, and therefore cannot modify the query
or attempt to start a second query.<br>
</p>
<p>Additionally, one SQL statement per call helps keep things clear,
so that everybody can easily see that injection isn't occurring in
a very clean context.<br>
</p>
<p> — Mike<br>
</p>
<br>
<div class="moz-signature">-- <br>
<table border="0">
<tbody>
<tr>
<td> <img src="cid:part1.08050409.09070802@naunetcorp.com"
alt="Naunet Corporation Logo"> </td>
<td> Michael B. Trausch<br>
<br>
President, <strong>Naunet Corporation</strong><br>
☎ (678) 287-0693 x130 or (888) 494-5810 x130<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>