NYCPHP Meetup

[Anthony Wlodarski]

I ran a test (just added a SQL command, harmless one in a text field) to see
what happens on SQL injection, without proper slashing or escaping
(addslashes/mysql_real_escape_string).  I like mysql_real... cause it takes
the guess work out of making the data safe.  Thanks everyone for the brief
lesson on the dangers of this (now I get to go back to all my INSERT/UPDATE
queries and add this functionality, better safe than sorry).

Anthony Wlodarski
Senior Technical Recruiter
Shulman Fleming & Partners
646-285-0500 x230
aw at sap8.com

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Ben Sgro (ProjectSkyLine)
Sent: Tuesday, August 14, 2007 9:15 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in
PHP?

heh,

Yeah I guess. They weren't validating the users input. = ]

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons

----- Original Message ----- 
From: "John Campbell" <jcampbell1 at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Tuesday, August 14, 2007 8:31 PM
Subject: Re: [nycphp-talk] Is there something wrong with this SQL query in 
PHP?


>> They had the exact same problems w/XSS, no input validation.
>
> Input validation?  Don't you mean output escaping?  You must not allow
> uber leet usernames like |<33|>.  :)
>
> -john cambpell
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php