Re: SEARCHING for an answer...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jason Pruim wrote:

On Sep 11, 2007, at 2:10 PM, Stut wrote:

Jason Pruim wrote:
On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
Also read http://en.wikipedia.org/wiki/SQL_injection
I have read about SQL injection, and I will be scrubbing the data before searching but the search is only available after logging into the system. No one who isn't logged in can even view the page :)

That couldn't be less relevant. Repeat after me... "Legitimate" users can be malicious too. All data going into a SQL statement needs to be escaped unless it's a hard-coded string. No exceptions. Ever.


I see what you are getting at, and I do plan to check the data before searching the contents of the database, but I was hoping to get one thing working at a time since I'm still learning all of this :)

Sorry to go on about it, but security is not something you add after you've got it working - that leads to holes. You need to bake security right in from the start.

-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux