daved
Joined: 22 Nov 2005
Posts: 1
Location: Bellingham, WA
|
| Posted: Wed Nov 30, 2005 10:47 pm Post subject: database quoting |
|
|
Sorry for cross posting, but I didn't get an answer from the mailing list.
-----Original Message-----
From: Sergio A. Kessler [mailto:sergiokessler@gmail.com]
Sent: Tuesday, November 22, 2005 3:25 PM
To: Dave Dunkin
Cc: vtigercrm-developers@lists.sourceforge.net
Subject: Re: [vtigercrm-developers] database quoting
so we are all in the same page:
Dave talks about doing:
a) $db->query("insert into foo values ('$bar')");
vs.
b) $db->query('insert into foo values (?)', array($bar));
a) is a BIG security risk, because if $bar is some value from a _GET or _POST some user can send $bar with a value of "'qwerty'); delete from client;"
see the risk ? your insert is executed, but the table 'client' is deleted.
meanwhile the b) procedure 'prepares' the query so all the parameters are quoted correspondly so no harm is produced by sql-injection.
the example was PEAR:DB'ish, adodb has similar functions...
regards,
/sak
On 11/22/05, Dave Dunkin <DaveD@dis-corp.com> wrote:
>
>
>
> Hello. My company is currently evaluating vtiger crm for internal use.
I
> have a small team dedicated to fixing bugs and making improvements.
One
> thing I have noticed right away is that data is rarely if ever quoted
before
> being put into a SQL statement. This is a huge security hole (open to
SQL
> injection attacks), as well as an annoyance (you can't insert data
that
> contains a quote). Is there a reason for not quoting? If my team
submitted
> patches that quoted everything that needed to be quoted, what would be
the
> timeline for integration? I have noticed that quite a few code
contributions
> have not been integrated into the product, and I want to make sure
we're not
> wasting our time.
>
>
>
> Thanks,
>
> Dave Dunkin
>
> Lead Web Developer
>
> DIS Corporation
>
> 360.647.4120
>
> |
|
