appdb security

[EA Durbin]

I always use the method of filtering user input as described at the php 
security consortium. It makes it easier to track tainted user input vs 
filtered input. If all filtered variables are put in an array it makes it 
easier to ensure you're using the non tainted variable.

http://phpsec.org/projects/guide/1.html#1.4

Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL 
filtering.


>From: Jonathan Ernst <jonathan at ernstfamily.ch>
>To: wine-devel at winehq.com
>Subject: Re: appdb security
>Date: Thu, 08 Jun 2006 18:12:20 +0200
>
>Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
> > Can you come up with a non-destructive working example for the appdb
> > website(appdb.winehq.org)? ;-)
> >
> > I ask because I thought we went through this some time ago but I agree 
>that
> > what you say looks like an open issue.
> >
> > Chris
>
>
>Lately I used the following snippet in all my webapps to secure them
>against sql injection :
>
>http://php.net/mysql_real_escape_string under "Best practice".
>
><?php
>function smart_quote($value)
>{
>    // Stripslashes
>    if (get_magic_quotes_gpc()) {
>      $value = stripslashes($value);
>    }
>    // Protect it if it's not an integer
>    if (!is_numeric($value)) {
>      $value = "'" . mysql_real_escape_string($value) . "'";
>    }
>    return $value;
>}
>
>// Secure query
>$sQuery = sprintf("SELECT *
>                    FROM users
>                    WHERE user=%s AND password=%s",
>                    smart_quote($_POST['username']),
>                    smart_quote($_POST['password']));
>mysql_query($query);
>?>
>
>I think it is better than what we have now in AppDB (didn't check it
>though). If nobody looks at it, I'll check the code after my master
>thesis (in one month).
>
>Jonathan


><< signature.asc >>




>