Re: SQL injection

On Tue, Nov 01, 2005 at 08:57:04AM -0500 I heard the voice of
Tom Lane, and lo! it spake thus:
>
> If you rely on applying an escaping function then it's pretty easy
> to forget it in one or two places, and it only takes one hole to be
> vulnerable :-(.

The trick is to make it a religious ritual.  I escape things into _q
variables:

$name = $_REQUEST['name'];
$name_q = db_quote($name);

And have myself thoroughly trained to ONLY use _q variables in
building queries.  Of course, once in a while, I forget to _create_
the _q version before using it, but then I get a nice loud error
message castigating me for it.  I often (not consistently) create _q
variables even for known-good strings and such that I hardcode into
the program.

It could well be that using prepared statements is by various metrics
a "better" way to go about things.  But I'm far too lazy to try and
reprogram my fingers    ;-)


--
Matthew Fuller     (MF4839)   |  fullermd@over-yonder.net
Systems/Network Administrator |  http://www.over-yonder.net/~fullermd/
           On the Internet, nobody can hear you scream.