> -----Original Message----- > From: Derick Rethans [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 1:29 AM > To: moshe doron > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP-DEV] Re: PHP 4.3.3RC3 Released > > > On Thu, 14 Aug 2003, moshe doron wrote: > > > the question is what is the common php programing habit. > sinse there > > is no public recommendation on the manual (fix me here) or someware > > else, i assume thats the hebit is not always do verify the > data and u > > can't blame the php users. > > Well, that's not our problem if people don't verify user input. Every > article dealing with the simplest security problem mentions this.
You mean verifying user input like this? (My Outlook will wrap this URL btw, sorry): http://bugs.php.net/search.php?search_for=&boolean=0&limit=10&order_by=&; reorder_by=XXX&direction=ASC&cmd=display&status=Open&php_os=&phpver=&ass ign=&author_email=&bug_age=0 "SELECT SQL_CALC_FOUND_ROWS *, TO_DAYS(NOW())-TO_DAYS(ts2) AS unchanged FROM bugdb WHERE bug_type != 'Feature/Change Request' AND (status='Open' OR status='Assigned' OR status='Analyzed' OR status='Critical' OR status='Verified') AND (SUBSTRING(php_version,1,1) = '4' OR SUBSTRING(php_version,1,1) = '5' OR php_version = 'Irrelevant') ORDER BY XXX ASC LIMIT 0,10 Unknown column 'XXX' in 'order clause'" php.net has some sort of failsafe it seems if you try and add another semicolon, "BAD HACKER!! No database cracking for you today!", hee, but you have to concede how easy it is to not properly check user input that makes it into a query. That took me all of 15 minutes to find. It's hard to find a large PHP-based site that doesn't have at least one such bug, php.net included. It's an obvious argument for not adding unsafe functionality when you don't have to, isn't it? :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
