[thelist] Null entry in form

Phil Turmel pturmel-webdev at turmel.org
Thu Apr 26 06:17:43 CDT 2007

Santilal Parbhu wrote:
> Thanks Phil
> Your advice worked perfectly.  I received a few other useful tips from other
> and I will look at implementing those suggestions in a later upgrade.
> Your comments about security vulnerabilities are welcomed.  I have been
> trying to find out more about security issues.  Can you explain briefly what
> a "SQL injection" actually is and how it makes or your site vulnerable?  If
> it is too complex to explain here can you refer to another resource where I
> can find out about these things.
> Once again thanks.  You saved my bacon.
> Santilal

Good to hear it worked for you.

In regards to PHP Injection, let me quote from one of the sites google 
just pulled up from me:

"Every time you solicit user input to construct a database query, you 
are permitting that user to participate in the construction of a command 
to the database server. ..... Your task as a programmer is to find a way 
to make such injections impossible." [1]

A google search on "php sql injection" pulls up numerous explanations 
and tutorials.

The bottom line:  every piece of data from the user that is concatenated 
into your SQL query needs to be checked and/or filtered to be sure you 
only get what you expect, and that any strings are properly quoted/escaped.


[1] http://www.phpbuilder.com/columns/ProPHPSecurity_excerpt.php3

More information about the thelist mailing list