Matt,

> You are of course welcome to disagree with the overwhelming body of security
> advice that parameterized queries are the correct, secure way to prevent SQL
> injection. In that case, you only need to not enable this feature. This
> feature is off-by-default, and only attempts to help secure webapplications
> and webdevelopers who do (or are required, for example by PCI compliance
> standards) to adopt this security-best-practice to ensure that they do so
> systematically across their entire website.

You seem to misunderstand me. I'm *not* saying that you shouldn't use
parameterized queries. Nor that they are not one of the best tools
available. I am simply pointing out that they are not a sure-fire
one-stop solution. There is a lot more that goes into it than simply
using prepare/bind. As indicated by the two cases I talked about
(structural elements not being supported and implementation quirks) as
well as others (DOS attacks from wildcards in malformed query
parameters, type validation, etc). This is not to say that we should
avoid PQ, but that we should recognize that it's not enough to just
use one thing and forget about everything else.

Anthony

PS: w3schools is NOT w3c. And their content is probably the single
largest source of security vulnerabilities for PHP, so citing them in
a security discussion is more than a little ironic.

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to