Re: securing web form interaction

ben syverson wrote: On Feb 15, 2005, at 12:02 PM, Jonathan Vanasco wrote: preemptive defense of potential SQL injection attacks Check out mod_security -- it has this built-in. (There's an intro here:

Re: securing web form interaction

that spells the security string letter by letter. I think it is not very complicated to create that kind of file. Teddy - Original Message - From: "ben syverson" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 15, 2005 10:33 PM Subject: Re: securing web form interaction

Re: securing web form interaction

Hi Folks> I usually use placeholders in DBI. Is this enough for avoiding SQL > injections? Keywords: Inject, SQL, Oraclehttp://online.securityfocus.com/infocus/1644http://www.nextgenss.com/papers.htmlhttp://www.ngssoftware.com/research/papers.htmlhttp://www.ngssoftware.com/papers/advanced_sql_injec

Re: securing web form interaction

On Tuesday 15 February 2005 2:11 pm, Adam Prime x443 wrote: >> > $dbh->quote() everything you can. At least some of the DBD's quote numbers, even when such should not be quoted. So "quote() everying" doesn't always work. >> Or make it easy on yourself and just use placeholders. > that too, assu

RE: securing web form interaction

t: Tuesday, February 15, 2005 2:19 PM To: Ian Joyce; Adam Prime x443 Cc: Mod-Perl ((E-mail)) Subject: Re: securing web form interaction Hi, I usually use placeholders in DBI. Is this enough for avoiding SQL injections? I have made a simple test and I have seen that it seems to be enough, but...

Re: securing web form interaction

On Feb 15, 2005, at 1:20 PM, Octavian Rasnita wrote: Don't forget to create a sound file also that will contain the pass phrase, because otherwise the blind visitors won't be able to use your site. Wow -- this is a great idea -- do have any links to sites which implement this? I'd like to see how

Re: securing web form interaction

On Tue, 2005-02-15 at 21:19 +0200, Octavian Rasnita wrote: > I usually use placeholders in DBI. Is this enough for avoiding SQL > injections? Yes. It will escape all values. - Perrin

Re: securing web form interaction

m Prime x443" <[EMAIL PROTECTED]> Cc: "Mod-Perl ((E-mail))" Sent: marti, 15 februarie 2005 21:09 PM Subject: Re: securing web form interaction On Tue, 15 Feb 2005 14:07:22 -0500, Adam Prime x443 <[EMAIL PROTECTED]> wrote: > > $dbh->quote() everything you can. > Or make it easy on yourself and just use placeholders. --Ian

Re: securing web form interaction

Don't forget to create a sound file also that will contain the pass phrase, because otherwise the blind visitors won't be able to use your site.

RE: securing web form interaction

that too, assuming that your DBD supports them. -Original Message- From: Ian Joyce [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 2:09 PM To: Adam Prime x443 Cc: Mod-Perl ((E-mail)) Subject: Re: securing web form interaction On Tue, 15 Feb 2005 14:07:22 -0500, Adam Prime

Re: securing web form interaction

On Tue, 15 Feb 2005 14:07:22 -0500, Adam Prime x443 <[EMAIL PROTECTED]> wrote: > > $dbh->quote() everything you can. > Or make it easy on yourself and just use placeholders. --Ian

RE: securing web form interaction

> Can anyone give me some tips for securing web form interaction? > > I'm looking specifically for 2 things: > > preemptive defense of potential SQL injection attacks > $dbh->quote() everything you can.

Re: securing web form interaction

On Feb 15, 2005, at 1:02 PM, Jonathan Vanasco wrote: Can anyone give me some tips for securing web form interaction? I'm looking specifically for 2 things: preemptive defense of potential SQL injection attacks See CGI::Untaint on CPAN for routine untainting. Sean

Re: securing web form interaction

On Feb 15, 2005, at 12:02 PM, Jonathan Vanasco wrote: preemptive defense of potential SQL injection attacks Check out mod_security -- it has this built-in. (There's an intro here: , and the main guy is

securing web form interaction

Can anyone give me some tips for securing web form interaction? I'm looking specifically for 2 things: preemptive defense of potential SQL injection attacks 'human only' readable gifs on forms to preemtively defent against bots without using some crazed throttling scheme