2012年9月26日星期三

Ulf Wendel: Not only SQL injection: I don't trust you!


On his site today Ulf Wendel talks about SQL injection and some comments that came up during a recent webinar about common MySQL mistakes PHP developers make.



Never trust user input! Injection is a threat . You are the new web developer, aren't you?. Never trust user input is the first rule I had to learn as a web developer in anchient times. Injection can happen whenever user input is interpreted or used to compose new data. A quick recap of the #3 mistake from todays Top 10 MySQL Tips and Mistakes for PHP Developers web presentation. A webinar recording should be available in a couple of days.


He points out a few "don't" things to avoid - like directly injecting superglobal values into your query and to remember that not all SQL injections are because of escaping issues. The real key? Validating input - be sure you're putting values into your query that are of the correct type and contain what you expect.

没有评论:

发表评论