[thelist] Null entry in form
Phil Turmel
pturmel-webdev at turmel.org
Thu Apr 26 06:17:43 CDT 2007
Santilal Parbhu wrote:
> Thanks Phil
>
> Your advice worked perfectly. I received a few other useful tips from other
> and I will look at implementing those suggestions in a later upgrade.
>
> Your comments about security vulnerabilities are welcomed. I have been
> trying to find out more about security issues. Can you explain briefly what
> a "SQL injection" actually is and how it makes or your site vulnerable? If
> it is too complex to explain here can you refer to another resource where I
> can find out about these things.
>
> Once again thanks. You saved my bacon.
>
> Santilal
>
Santilal,
Good to hear it worked for you.
In regards to PHP Injection, let me quote from one of the sites google
just pulled up from me:
"Every time you solicit user input to construct a database query, you
are permitting that user to participate in the construction of a command
to the database server. ..... Your task as a programmer is to find a way
to make such injections impossible." [1]
A google search on "php sql injection" pulls up numerous explanations
and tutorials.
The bottom line: every piece of data from the user that is concatenated
into your SQL query needs to be checked and/or filtered to be sure you
only get what you expect, and that any strings are properly quoted/escaped.
Phil
[1] http://www.phpbuilder.com/columns/ProPHPSecurity_excerpt.php3
More information about the thelist
mailing list