WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: David Cameron <david () uberconcept com>
Date: Tue, 23 Sep 2003 21:56:22 +1000
In addition you will now have to remember to decode everything you read from the database, and you will also have a hard time accessing the database using tools other than the web application. And of course, the field size requirements of the application increase. If you use Base64, I even think it will be impossible to create working LIKE clauses, as the bits from a single original character may or may not be split in two depending on the position the character has in the sequence. Even sorting won't work as expected: "aaa" encodes to "YWFh", while "aaz" ( > "aaa") encodes to "YWF6" ( < "YWFh").
This also has the effect of making ad-hoc reporting an absolute pain in the butt. The result of this is that:
1. An extra reporting layer must be created, because you can no longer just query the database to check the values the database holds during development/maintenance/testing. Even if the reporting layer is never used by the client, without it you can't write/debug code effectively. 2. This creates another potential failure area (security or otherwise). You would need to spend significant time on the reporting layer to ensure that the reports *are* accurate.
regards David Cameron
Current thread:
- PHP for preventing SQL injections? Ulf Harnhammar (Sep 17)
- <Possible follow-ups>
- Re: PHP for preventing SQL injections? b0iler _ (Sep 21)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 22)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? David Cameron (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 23)