PHP - security etc
Michael Stillwell
mjs at beebo.org
Wed Mar 7 14:30:41 GMT 2007
On 7 Mar 2007, at 14:02, dakkar wrote:
>> Is PHP more or less open to nastys such as SQL injection?
>
> For a lot of time, people built their SQL queries without
> placeholders.
> And did not escape user-supplied values before printing them out. So,
> SQL Injection and XSS. Some PHP libraries *have* support for
> placeholders, and most PHP templating systems *have* escaping
> filters. A
> lot of people just don't use them...
I would say the security problems with PHP are partly to do with PHP
being crap, and partly to do with the programmers being crap--a bit
like the situation with Perl, though at least Perl's core libraries
are generally good.
With PHP, the core libraries are sometimes awful. For example, you
might think that the following is safe:
$sth = odbc_prepare($dbh, "INSERT INTO people(name) VALUES(?)");
$res = odbc_execute($sth, array($name));
But no! For some monstrous reason, any *value* that starts and ends
with a single quote "will be taken as the name of a file to read and
send to the database server as the data for the appropriate
placeholder." So if $name is "'/etc/password'" the *contents* of /
etc/password get inserted into your database. (See http://php.net/
odbc_execute.)
(As a side note, does anyone else find it a bit odd that MySQL
prepared statements don't/can't use the query cache? Is there any
way around this? Is this a problem with other DBs?)
--M.
--
http://beebo.org
+44 78 2118 9049
More information about the london.pm
mailing list