RE: TWIG SQL query bugs

From: Jeff Dafoe (jeffdat_private)
Date: Thu May 31 2001 - 08:42:56 PDT

Next message: Ben Laurie: "Re: TWIG SQL query bugs"

Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco Content Service Switch 11000 Series Web Management Vulnerability"
In reply to: Ryan Fox: "Re: TWIG SQL query bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Good programming practice is to code a function specifically to strip any
> possible malicious characters out of strings, and wrap it around every
> variable put into a query, whether it should be user-supplied or not.
> Addslashes is a good function to call from your stripping function, but it
> should not be your only line of defense.

	Remember that truly good programming practice is to make sure that your
sanitization function defines what is allowed to exist in the string (known
good) and then strips everything else out.  This and other items relating to
secure programming practices are discussed in the secprog mailing list
(secprogat_private).


Jeff

Next message: Ben Laurie: "Re: TWIG SQL query bugs"
Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco Content Service Switch 11000 Series Web Management Vulnerability"
In reply to: Ryan Fox: "Re: TWIG SQL query bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 31 2001 - 17:44:16 PDT