Thread: Secure Coding
View Single Post
Old 19-07-2010, 10:47   #11
Damien
Remoaner
Cable Forum Team
 
Damien's Avatar
 
Join Date: Mar 2004
Posts: 32,731
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Re: Secure Coding
Quote:
Originally Posted by punky View Post
Admittedly I don't use MySQLi extensions but it doesn't actually say in that doc that it santises input like ASP.NET. So it might just be a glorifed String.Format function.
Good Point.

Quote:
Speaking of data abstraction ZendFramework does santise input via factory queries but it shouldn't be assumed they all do.
What do you mean by sanitise? If it's removing invalid characters then it's hardly ideal either. Parametrised queries mechanisms shouldn't be tampering with the string, they should simply be telling the database that this is the query and these are the values for that query.

Either way. Removing invalid characters is a nasty workaround.
Damien is offline   Reply With Quote