Re: Scripting Languages and Secure Coding

[Timo Sirainen <tss () iki fi>]

On Wed, 2003-12-03 at 06:20, M. Buchzik wrote:
> For example, with this funcion I would feel absolutely secure:
> if (is_numeric($_GET['count'])) {
>   // Insert $_GET['count'] into Database ...
>   // alternatives: is_int(), is_float(), ... what ever needed
> }
> =20
> Unfortunately, the most often found function in the web would look like=20
> this:
> if ($count) {
>   // Insert my sql injection ...
> }

I would prefer something like:

if ($_GET['count']) {
  sql_exec("INSERT INTO table (count, str) (%d, %s)",
           $_GET['count'], $_GET['str']);
}

sql_exec would do the actual checking and escaping as needed. I find
that much easier to read and write than explicitly validating the input.

IMHO input validation shouldn't be relied on preventing security holes.
I use it only for giving human readable error messages and sometimes
preventing DoS by disallowing large input.

[Ed. This message was PGP-signed, which is great, but the signature
was lost when I stripped the MIME encapsulation. KRvW]