[thelist] Keeping PHP forms secure

Sales @ Lycosa sales at lycosa.co.uk
Tue Aug 7 09:34:51 CDT 2007


<snip>
In, for instance, Perl you would generally do something along the  
lines of:

my $statement = "INSERT into Foo values(?,?,?)";
my $sth = $dbh->prepare($statement);
$sth->execute($value1, $value2, $value3);
$sth->execute($valueA, $valueB, $valueC);

The escaping of potentially dangerous characters is all handled by  
standard routines which automatically change depending on the  
database driver (to handle variations between types of database).
</snip>

I see. This looks like a database abstraction. It would be easy enough to
write (or use an existing) database abstraction, and add the relevant checks
at that point. This is where the regular expressions would reside.

The mysql functions in php don't sanitize the input, although there are
functions such as the one Nan originally stated; mysql_real_escape_string();

<snip>
> Anything other than correct input data is either a user error, or  
> malicious.

Or a design error in determining what 'correct' is in the first place.
</snip>
touché!

Phil





More information about the thelist mailing list