> Good programming practice is to code a function specifically to strip any > possible malicious characters out of strings, and wrap it around every > variable put into a query, whether it should be user-supplied or not. > Addslashes is a good function to call from your stripping function, but it > should not be your only line of defense. Remember that truly good programming practice is to make sure that your sanitization function defines what is allowed to exist in the string (known good) and then strips everything else out. This and other items relating to secure programming practices are discussed in the secprog mailing list (secprogat_private). Jeff
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 17:44:16 PDT