Thread: Secure Coding
View Single Post
Old 19-07-2010, 12:42   #14
punky
Inactive
 
Join Date: Jun 2003
Age: 44
Posts: 14,750
punky has a golden aurapunky has a golden aura
punky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aurapunky has a golden aura
Re: Secure Coding
Quote:
Originally Posted by Damien View Post
Thought you meant that. Surely some of the bigger layers support actual parametrisation?
Not quite. PHP frameworks contain query factory classes that look like ASP.NET parameterisation but it all it does is build the query and then sanitise the input for you.

For example, using a generic query factory class:

$myQuery = $framework->query( "INSERT INTO table ('Name') VALUES(@Name);")
$myQuery->addWithValue("@Name", "punky");
$myQuery->execute();

That looks like ASP.NET but really all it does is it santises "punky" and then does a regexp replace to put it in so it becomes:

"INSERT INTO table ('Name') VALUES('punky');"

And then gets executed. That's all ASP.NET parameterisation does really (except in ASP.NET you can specify types which will throw exceptions if you try and tamper with it) but in that case you are trusting Microsoft to handle it.

Anyway, Raistlin asked about base PHP.
punky is offline   Reply With Quote