Re: mysql_real_escape_string() question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 11:41 AM -0500 9/29/06, Richard Lynch wrote:

On Thu, September 28, 2006 2:06 pm, tedd wrote:

 I realize that you are not asking for an answer, but for a guide --
 however -- isn't the real problem here simply one of injection? Just
 stop the user from injecting stuff in the subject and that would fix
 it right? Or, am I underestimating the problem?


Underestimating.

Stopping header injection is only one step of a potential world of
problems.

Consider that the user could provide *ANY* string, of any size, of any
composition, for their "Subject"

Maybe they POST a worm in Subject, and it has no newlines, but still
manages to propogate through Outlook.
Then limiting the number of "characters" allowed would provide a degree of security. Worms take some amount of space and reducing that allotment makes it harder to create one. 


I know nada about Unicode, uuencode, and all that crap.
Unicode is nothing more that an expanded ASCII (I'll get flamed for that statement).
But, Unicode is simply extending the 7-bit ASCII problem to 8-bit so that more code-points (characters) can be added for global communications. If you understand ASCII, then you have the basics for Unicode. 


So with all these potential issues, I'm wondering if there isn't a
more systemic approach to this.
Identify the problem. One of the axioms in security programming is something like "Don't program for things that might be, but rather for things that are known." I think Shiflett said something to that affect in his book.
If you can show me the minimum size for a worm, then setting the character limit in a subject line would protect from that -- but -- are worms, or other evil code, transmitted by subject lines? 


#2. The docs, wonderful as they are, don't really lay out something as
fundamental as the right escape function for situation X, because you
need a degree in CS just to "know" that X is really a Y so the right
function is Z.
Degrees are overrated -- I have plenty of them and I'm still asking questions. Just give me someone who knows WTF their doing, and that's fine with me. IMO, technology is moving too fast for colleges to keep up. It's the people on the bleeding edge that are innovation, not the ones in the classroom. 

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux