Re: Secure Coding
 

As far as MySQL is concerned, you dont need parameterised queries to be safe, you just need to make sure that if the data is a number then its really numeric (use something like intval(x) to clean it) - and if its text, make sure its escaped (the MySQL/PHP inteface has a built in function to do this).

Re: Secure Coding
 

Surely you mean ADO.NET ;)

Re: Secure Coding
 

I didn't think about that as Raistlin was talking about web-only technologies so defaulted to ASP.NET rather than all of .NET

Which reminds me, I used ADO.NET a while ago to connect my ASP.NET app to MySQL. I wonder if they supports parameterisation? I'm guessing it does as ASP.NET does the work and not the DB engine?

Re: Secure Coding
 

Like I mentioned previously. The database does require support. This is because the Parametrised Queries are not a query which is then escaped by the ADO.Net Framework.

Instead these are queries which are passed down to the database with the tokens (@whatever) to the database. The MS SQL database does two things, that I know of, first of all it caches a query execution plan. This allows it to perform subsequent operations marginally faster as, because the query has been parametrised , the only variables to the query are those parameters which it does not need yet.

Second; it inserts the parameter values which you pass down from your application.

Try it out. Write a parametrised query from your application and 'forget' to supply a parameter. The error thrown will be from the database and not the .Net framework.

Re: Secure Coding
 

To be honest the original query was meant to be platform/language agnostic - so all/any comments/suggestions are being gratefully received :)

Coding is something I haven't done much of, so whilst I understand the requirement to properly check/santise input and to use parameterised queries etc I've never actually had to do it - hence the reason for the original question.

I want to start coding more, but (being aware of the usual issues that people create for themselves by not doing it properly) I want to get into good secure habits from the start :)

Re: Secure Coding
 

You're correct, never realised that before. :tu:

Re: Secure Coding
 

Can't say I've noticed that before either lol. Nice one.

Re: Secure Coding
 

Makes me feel less of a noob then :p:

Re: Secure Coding
 

Lol, yeah :) I don't get exceptions which is why I never noticed! ;) :D LMAO

Re: Secure Coding
 

I only know it because I have worked with it for a project :p:

But they are a neat feature and one I would hope is supported by modern technologies. I not sure if that PHP one does work correctly and not, as Punky said might be the case, a glorified string.format.

---------- Post added at 21:23 ---------- Previous post was at 21:14 ----------

The thing is any book that covers only security might well be far too in-depth for what you need right now. They would be aimed at people trying to lock down an enterprise level application.

What stage are you at? I think that learning best practices in general regarding code reuse, readability, will be of greater benefit you than security. All you need to remember at the moment is DON'T TRUST YOUR USERS INPUT! Then learn the rest as you go...