News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Evert Pot's Blog:
Devshed article about SQL Injection
January 08, 2009 @ 07:51:43

Evert Pot responds to a recent DevShed article in a new post to his blog today.

The one major flaw in the article is that it is suggested input validation is enough protection. This is not the case.

He notes that their solution just isn't enough to really protect much of anything in your scripts. He corrects the articles where it says that mysql_real_escape_string is a good secondary line of defense by suggesting that you always use it. It is a much more effective way to remove potentially harmful characters than a regular expression of your own devise.

0 comments voice your opinion now!
sql injection devshed security mysqlrealescapestring experience


DevShed:
Database Security Guarding Against SQL Injection
November 11, 2008 @ 07:54:31

DevShed finishes off their series on database security in PHP applications with this look at protecting your application and data from the threat of SQL injections.

In this article we will continue to explore various attacks that can be made on a database and how to prevent these attacks. We will also build the last page of our site.

Their example script is a login for a secured area of the site and contains a possible place for an injection - non-validated user input. With something as simple as making the username a single quote, an attacker could find out more about your database structure and use that to get further into your systems. To avoid it, they recommend validating with the mysql_real_escape_string function as a first line of defense.

0 comments voice your opinion now!
sql injection database security tutorial validate user input mysqlrealescapestring


Ivo Jansch's Blog:
Don't use addslashes for database escapes
December 03, 2007 @ 15:27:00

Ivo Jansch has a reminder for developers when they're putting user data into their databases - don't use addslashes.

[Addslashes] is not the best way to escape data. The most important reason is security. addslashes can lure you into a false sense of security. As Chris Shiflett points out, there are situations that addslashes doesn't escape. Use mysql_real_escape_string instead.

Ivo also talks about the advantages of using the right function and suggests another even more secure way too - PDO.

0 comments voice your opinion now!
addslashes mysqlrealescapestring user input pdo addslashes mysqlrealescapestring user input pdo


Chris Shiflett's Blog:
The Unexpected SQL Injection
October 01, 2007 @ 08:47:00

Chris Shiflett points out an unexpected SQL injection possibility as presented by Alexander Andonov for PHP (involving mysql_real_escape_string).

The focus of the article is stressing the importance of filtering input and escaping output, as neither is a substitute for the other, but he does so very clearly with specific examples [...] A number of example exploits are supplied for each case, and he discusses which ones work, which ones don't, and why.

Chris also uses the post to link to Paul Reinheimer's post about add_slashes versus mysql_escape_string and his own post on the same topic.

0 comments voice your opinion now!
mysqlrealescapestring addslashes mysqlescapestring xss mysqlrealescapestring addslashes mysqlescapestring xss



Community Events





Don't see your event here?
Let us know!


threedevsandamaybe laravel community developer opinion podcast code release refactor framework introduction install series configure interview symfony2 unittest language testing list

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework