On Thu, 14 Aug 2003, Steven Brown wrote: > > -----Original Message----- > > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED] > > Sent: Thursday, August 14, 2003 10:53 PM > > To: Steven Brown > > Cc: [EMAIL PROTECTED] > > Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Released > > > > > > On Thu, 14 Aug 2003, Steven Brown wrote: > > > I found an example of passing unvalidated input into a SQL query, I > > > didn't say it would lead to an exploit. The point was, > > yes, even you > > > guys make this mistake. It's not a "Well, you should have > > learned to > > > write secure code" type of issue. Everyone makes this mistake > > > occasionally. > > > > Unvalidated in what sense? We don't validate for multiple > > queries because we have no need to do so. > > Unvalidated in that I could modify the SQL query as my text in the URL > made it into the query unvalidated, unquoted, and unescaped.
So? There is no possibility of an exploit here, so the validation is adequate. And I have no idea why you copied the entire thread back to me. I read it. We cannot possibly predict what user input will be problematic in the various backends. The query chaining char, if supported, is likely different from one backend to the next, and chars that may be illegal in other ways vary as well. On top of that, specific application characteristics will introduce another set of dangerous data. People need to move towards policy-based input filtering and not rely on what can only be pathetically incomplete higher level filters. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
