[NBLUG/talk] CGI programming memory lapse
Suzanne Aldrich
aigeanta at gmail.com
Wed Jun 7 12:56:03 PDT 2006
On 6/7/06, Chris Palmer <chris at eff.org> wrote:
> Think of it like this: You are putting data into MySQL and you decide
> > to name your variable $query. Let's say someone tries to be smart and
> > recodes your form and makes a field called "$query". They just
> > injected your database.
>
> Oh, you don't need register_globals on for SQL injection to be all too
> easy. Watch the Bugtraq mailing list for, like, 20 seconds, and you will
> see 20 posts about PHP apps with SQL injection vulnerabilities. Every
> unvalidated input variable that later is used as part of an SQL query is
> an SQL injection vector. It's part of the fun!
>
What I don't understand is, since everyone knows SQL injections are a
problem, why isn't there a standard function that will clean up any user
submitted data before performing SQL operations? Or, perhaps there could be
a default setting that would just automagically screen for attacks.
This security-as-an-afterthought method of designing languages/platforms is
really hurting our ability to develop new and innovative applications. If
I'm spending half my time worrying about script-kiddies, I don't have as
much opportunity to invent a useful feature or write comprehensive
documentation or do usability testing.
Anyone agree?
--
Suzanne Aldrich
aigeanta at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://nblug.org/pipermail/talk/attachments/20060607/07ace5c0/attachment.html
More information about the talk
mailing list