[ale] Well, this does nothing for the reputation of Linux

Michael B. Trausch mbt at naunetcorp.com
Mon Jul 22 12:25:40 EDT 2013 

On 07/22/2013 12:14 PM, Andy Borgmann wrote:
> "I'm decent with PHP, it's what I do almost all day every day, and I
> find new ways to do stupid things with it all the time. Having torn
> apart a few PHP frameworks like CodeIgnitor and Kohana, as well as
> some Ruby on Rails apps, I think frameworks provide a false sense of
> security and make it even easier to do stupid things quickly." - this
> is why I prefer not to use Frameworks like CodeIgnitor but do custom
> coding.  The thought (maybe wrong), is that hackers look for what is
> easiest so they will try stuff that breaks CodeIgnitor and WordPress
> and phpBB and the like more than trying to figured out the intricacies
> of the custom code.

You can mitigate that and save yourself a lot of time and effort, not to
mention save yourself the reinvention of the wheel, by adopting a
framework and getting to know it well.

If you do what most do, and just pick something and use it, you're in
for a bad ride.  Read and understand the framework you use.  That also
means don't pick one that you can't read.  If it's really a big deal
than instead of writing custom frameworks for every application, create
your own standard framework that you use as the basis for the things you
create, so that you're only solving a problem one time.

> I'll have to look into the Binary injection stuff.  I always just
> tried the ' OR 1=1' type of stuff to make sure it was secure.  Thanks
> for that.

Ah, injection is a very complex thing.  To avoid it:

 1. Do not allow identifiers to come from untrusted sources.
 2. Sanitize all data that comes from an untrusted source so that it
    complies with the rules for the data.  If something is supposed to
    be an integer, make sure it's an integer and not a string, and vice
    versa.
 3. Properly quote all identifiers.
 4. Properly escape and quote all values for the DBMS in use.

If you follow those rules, you cannot have injection, because you can't
break out of values, and therefore cannot modify the query or attempt to
start a second query.

Additionally, one SQL statement per call helps keep things clear, so
that everybody can easily see that injection isn't occurring in a very
clean context.

    --- Mike


-- 
Naunet Corporation Logo 	Michael B. Trausch

President, *Naunet Corporation*
? (678) 287-0693 x130 or (888) 494-5810 x130

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/3284446e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fgegdjbi.png
Type: image/png
Size: 1701 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/3284446e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/3284446e/attachment.sig>

More information about the Ale mailing list