On Sep 11, 2007, at 2:59 PM, Stut wrote:
Jason Pruim wrote:
On Sep 11, 2007, at 2:10 PM, Stut wrote:
Jason Pruim wrote:
On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
Also read http://en.wikipedia.org/wiki/SQL_injection
I have read about SQL injection, and I will be scrubbing the
data before searching but the search is only available after
logging into the system. No one who isn't logged in can even
view the page :)
That couldn't be less relevant. Repeat after me... "Legitimate"
users can be malicious too. All data going into a SQL statement
needs to be escaped unless it's a hard-coded string. No
exceptions. Ever.
I see what you are getting at, and I do plan to check the data
before searching the contents of the database, but I was hoping to
get one thing working at a time since I'm still learning all of
this :)
Sorry to go on about it, but security is not something you add
after you've got it working - that leads to holes. You need to bake
security right in from the start.
And thank you for hammering this into me :) I'm at the point of
developing my programming habits, and secure coding is a good habit
to be in. Some would say it is the only habit to be in... :)
-Stut
--
http://stut.net/
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@xxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
