Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding
From: Timo Sirainen <tss () iki fi>
Date: Thu, 04 Dec 2003 02:04:10 +0000
On Wed, 2003-12-03 at 06:20, M. Buchzik wrote:
For example, with this funcion I would feel absolutely secure: if (is_numeric($_GET['count'])) { // Insert $_GET['count'] into Database ... // alternatives: is_int(), is_float(), ... what ever needed } =20 Unfortunately, the most often found function in the web would look like=20 this: if ($count) { // Insert my sql injection ... }
I would prefer something like: if ($_GET['count']) { sql_exec("INSERT INTO table (count, str) (%d, %s)", $_GET['count'], $_GET['str']); } sql_exec would do the actual checking and escaping as needed. I find that much easier to read and write than explicitly validating the input. IMHO input validation shouldn't be relied on preventing security holes. I use it only for giving human readable error messages and sometimes preventing DoS by disallowing large input. [Ed. This message was PGP-signed, which is great, but the signature was lost when I stripped the MIME encapsulation. KRvW]
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)