Thread: Secure Coding
View Single Post
Old 19-07-2010, 13:02   #15
Damien
Remoaner
Cable Forum Team
 
Damien's Avatar
 
Join Date: Mar 2004
Posts: 32,731
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Re: Secure Coding
Quote:
Originally Posted by punky View Post

And then gets executed. That's all ASP.NET parameterisation does really (except in ASP.NET you can specify types which will throw exceptions if you try and tamper with it) but in that case you are trusting Microsoft to handle it.

Anyway, Raistlin asked about base PHP.
In .Net the parametrization is a concept supported at the database level, i.e the database itself knows what a parameter is. So that a query is passed down along with the parameters and the database will then execute the query, and draw on those parameters to put into the database but the .Net framework doesn't escape the characters and send the database a safe string.

This also allows MS SQL to draw and cache database execution plans because the parametrised query will always been the same string with only the params changing.

Anyway yes, off-topic
Damien is offline   Reply With Quote