Security Basics mailing list archives
Re: checking web applications for exploits
From: Jeff MacDonald <jam () zoidtechnologies com>
Date: Tue, 26 Jul 2011 16:08:53 -0400
Greetings, On Sunday, July 24, 2011 07:40:15 PM Littlefield, Tyler wrote:
Hello all:
[..snipped..]
Each input to the web form is validated based on length and a couple other factors depending on the data being inputted, and -anything- going to the database goes through this function before it gets validated. function CleanupInput($input) { return mysql_escape_string(addslashes($input)); } Any other thoughts?
Yes.. older version of php have a "feature" that will "automagically" add slashes. Instead of calling addslashes all the time, check the result of get_magic_quotes_gpc()[2] first. Also, if you use "bound parameters", you can move the escaping of user input to the "view" of the data. For database abstraction, I use a package called "MDB2"[1] which makes using bound parameters, transactions, etc a lot simpler for a variety of databases. Regards, J [1] http://pear.php.net/MDB2 [2] http://www.php.net/manual/en/function.get-magic-quotes-gpc.php ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- checking web applications for exploits Littlefield, Tyler (Jul 25)
- Message not available
- Re: checking web applications for exploits Madhur Ahuja (Jul 25)
- Message not available
- Re: checking web applications for exploits Matthew Finkel (Jul 25)
- Re: checking web applications for exploits Maarten Hoogveld (Jul 26)
- Re: checking web applications for exploits Harshvardhan Parmar (Jul 27)
- RE: checking web applications for exploits Sheldon Malm (Jul 27)
- Re: checking web applications for exploits Maarten Hoogveld (Jul 26)