Secure Coding - Page 2

**Paul** · 19-07-2010, 13:04

As far as MySQL is concerned, you dont need parameterised queries to be safe, you just need to make sure that if the data is a number then its really numeric (use something like intval(x) to clean it) - and if its text, make sure its escaped (the MySQL/PHP inteface has a built in function to do this).

AntiSilence · 19-07-2010, 16:23

Quote:

Originally Posted by punky

Parameterised queries are unique to ASP.NET

Surely you mean ADO.NET

punky · 19-07-2010, 16:33

Quote:

Originally Posted by AntiSilence

Surely you mean ADO.NET

I didn't think about that as Raistlin was talking about web-only technologies so defaulted to ASP.NET rather than all of .NET

Which reminds me, I used ADO.NET a while ago to connect my ASP.NET app to MySQL. I wonder if they supports parameterisation? I'm guessing it does as ASP.NET does the work and not the DB engine?

**Damien** · 19-07-2010, 17:05

Quote:

Originally Posted by punky

I didn't think about that as Raistlin was talking about web-only technologies so defaulted to ASP.NET rather than all of .NET

Which reminds me, I used ADO.NET a while ago to connect my ASP.NET app to MySQL. I wonder if they supports parameterisation? I'm guessing it does as ASP.NET does the work and not the DB engine?

Like I mentioned previously. The database does require support. This is because the Parametrised Queries are not a query which is then escaped by the ADO.Net Framework.

Instead these are queries which are passed down to the database with the tokens (@whatever) to the database. The MS SQL database does two things, that I know of, first of all it caches a query execution plan. This allows it to perform subsequent operations marginally faster as, because the query has been parametrised , the only variables to the query are those parameters which it does not need yet.

Second; it inserts the parameter values which you pass down from your application.

Try it out. Write a parametrised query from your application and 'forget' to supply a parameter. The error thrown will be from the database and not the .Net framework.

Raistlin · 19-07-2010, 17:49

To be honest the original query was meant to be platform/language agnostic - so all/any comments/suggestions are being gratefully received

Coding is something I haven't done much of, so whilst I understand the requirement to properly check/santise input and to use parameterised queries etc I've never actually had to do it - hence the reason for the original question.

I want to start coding more, but (being aware of the usual issues that people create for themselves by not doing it properly) I want to get into good secure habits from the start

punky · 19-07-2010, 17:53

Quote:

Originally Posted by Damien

Like I mentioned previously. The database does require support. This is because the Parametrised Queries are not a query which is then escaped by the ADO.Net Framework.

Instead these are queries which are passed down to the database with the tokens (@whatever) to the database. The MS SQL database does two things, that I know of, first of all it caches a query execution plan. This allows it to perform subsequent operations marginally faster as, because the query has been parametrised , the only variables to the query are those parameters which it does not need yet.

Second; it inserts the parameter values which you pass down from your application.

Try it out. Write a parametrised query from your application and 'forget' to supply a parameter. The error thrown will be from the database and not the .Net framework.

You're correct, never realised that before.

AntiSilence · 19-07-2010, 18:26

Can't say I've noticed that before either lol. Nice one.

punky · 19-07-2010, 19:11

Quote:

Originally Posted by AntiSilence

Can't say I've noticed that before either lol. Nice one.

Makes me feel less of a noob then

AntiSilence · 19-07-2010, 19:20

Quote:

Originally Posted by punky

Makes me feel less of a noob then

Lol, yeah

I don't get exceptions which is why I never noticed!

LMAO

**Damien** · 19-07-2010, 21:23

I only know it because I have worked with it for a project

But they are a neat feature and one I would hope is supported by modern technologies. I not sure if that PHP one does work correctly and not, as Punky said might be the case, a glorified string.format.

---------- Post added at 21:23 ---------- Previous post was at 21:14 ----------

Quote:

Originally Posted by Raistlin

To be honest the original query was meant to be platform/language agnostic - so all/any comments/suggestions are being gratefully received

Coding is something I haven't done much of, so whilst I understand the requirement to properly check/santise input and to use parameterised queries etc I've never actually had to do it - hence the reason for the original question.

I want to start coding more, but (being aware of the usual issues that people create for themselves by not doing it properly) I want to get into good secure habits from the start

The thing is any book that covers only security might well be far too in-depth for what you need right now. They would be aimed at people trying to lock down an enterprise level application.

What stage are you at? I think that learning best practices in general regarding code reuse, readability, will be of greater benefit you than security. All you need to remember at the moment is DON'T TRUST YOUR USERS INPUT! Then learn the rest as you go...