Bugtraq mailing list archives
RE: TWIG SQL query bugs
From: "Jeff Dafoe" <jeffd () evcom net>
Date: Thu, 31 May 2001 11:42:56 -0400
Good programming practice is to code a function specifically to strip any possible malicious characters out of strings, and wrap it around every variable put into a query, whether it should be user-supplied or not. Addslashes is a good function to call from your stripping function, but it should not be your only line of defense.
Remember that truly good programming practice is to make sure that your
sanitization function defines what is allowed to exist in the string (known
good) and then strips everything else out. This and other items relating to
secure programming practices are discussed in the secprog mailing list
(secprog () securityfocus com).
Jeff
Current thread:
- RE: TWIG SQL query bugs Jeff Dafoe (May 31)
- <Possible follow-ups>
- Re: TWIG SQL query bugs Steve Stavropoulos (Jun 01)
- Re: TWIG SQL query bugs kj (Jun 01)
- Re: TWIG SQL query bugs Gunther Birznieks (Jun 05)
- Re: TWIG SQL query bugs kj (Jun 05)
- Re: TWIG SQL query bugs Ben Gollmer (Jun 05)
- Re: TWIG SQL query bugs Gunther Birznieks (Jun 05)