[20828] in bugtraq
RE: TWIG SQL query bugs
daemon@ATHENA.MIT.EDU (Jeff Dafoe)
Thu May 31 22:31:07 2001
From: "Jeff Dafoe" <jeffd@evcom.net>
To: "Ryan Fox" <rfox@noguska.com>, "Ben Efros" <Ben@Efros.com>,
"Luki Rustianto" <luki@karet.org>, <bugtraq@securityfocus.com>
Date: Thu, 31 May 2001 11:42:56 -0400
Message-ID: <NDBBIOPEKLHMHCDKLPLPMEFEDOAA.jeffd@evcom.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <00b201c0e941$fd6562c0$5d601cd8@noguska.com>
> Good programming practice is to code a function specifically to strip any
> possible malicious characters out of strings, and wrap it around every
> variable put into a query, whether it should be user-supplied or not.
> Addslashes is a good function to call from your stripping function, but it
> should not be your only line of defense.
Remember that truly good programming practice is to make sure that your
sanitization function defines what is allowed to exist in the string (known
good) and then strips everything else out. This and other items relating to
secure programming practices are discussed in the secprog mailing list
(secprog@securityfocus.com).
Jeff
