Re: Re: sql injection protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Haluk Karamete <halukkaramete@xxxxxxxxx> hat am 20. Januar 2012 um 20:56
geschrieben:

> Do we all agree on that? It's a plain YES or NO question right here.

No, I do not agree.

1) There is no sense in cleaning up all arrays using mysql escape. This one
is for escaping BEFORE using it in a query. Why should I alter all my
get/post data, if not all data is passed to sql?

2) Think about big post arrays and consider 1) Why should I waste CPU time
to escape all my data, even if not all data is used in sql?

3) The approach you try to re-invent here is already known, take a look at
the php docs by searching for filter extension

4) What is the sense in connecting to a database at the begin of every
script? What if the script will not use it, because of data validation
failed? You wated a mysql connection on that.

There are many more reasons, and I am sure there will be follow ups on
that.

Si it's a plain NO from me.

Marco Behnke
Dipl. Informatiker (FH), SAE Audio Engineer Diploma
Zend Certified Engineer PHP 5.3

Tel.: 0174 / 9722336
e-Mail: marco@xxxxxxxxxx

Softwaretechnik Behnke
Heinrich-Heine-Str. 7D
21218 Seevetal

http://www.behnke.biz

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux