mailing list archives
RE: TWIG SQL query bugs
From: "Jeff Dafoe" <jeffd () evcom net>
Date: Thu, 31 May 2001 11:42:56 -0400
Good programming practice is to code a function specifically to strip any
possible malicious characters out of strings, and wrap it around every
variable put into a query, whether it should be user-supplied or not.
Addslashes is a good function to call from your stripping function, but it
should not be your only line of defense.
Remember that truly good programming practice is to make sure that your
sanitization function defines what is allowed to exist in the string (known
good) and then strips everything else out. This and other items relating to
secure programming practices are discussed in the secprog mailing list
(secprog () securityfocus com).
- RE: TWIG SQL query bugs Jeff Dafoe (Jun 01)