Re: checking web applications for exploits

[Jeff MacDonald <jam () zoidtechnologies com>]

Greetings,

On Sunday, July 24, 2011 07:40:15 PM Littlefield, Tyler wrote:
> Hello all:
[..snipped..]
> Each input to the web form is validated based on length
> and a couple other factors depending on the data being inputted, and
> -anything- going to the database goes through this function before it
> gets validated.
> function CleanupInput($input)
> {
>      return  mysql_escape_string(addslashes($input));
> }
> Any other thoughts?

Yes.. older version of php have a "feature" that will "automagically" add 
slashes. Instead of calling addslashes all the time, check the result of 
get_magic_quotes_gpc()[2]  first.

Also, if you use "bound parameters", you can move the escaping of user input 
to the "view" of the data.

For database abstraction, I use a package called "MDB2"[1] which makes using 
bound parameters, transactions, etc a lot simpler for a variety of databases.

Regards,
J

[1] http://pear.php.net/MDB2
[2] http://www.php.net/manual/en/function.get-magic-quotes-gpc.php


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------