On 01/04/11 18:38, Olaf van der Spek wrote:
On Wed, Mar 30, 2011 at 11:08 AM, Andrew Hutchings
<[email protected]> wrote:
There are several other things we can possibly do here though, such as:
1. By default multi-statements (ie. more than one SQL statement in a single
query) is disabled in libdrizzle and I think the drizzle PHP module side
too. But the Drizzle server needs to support this flag properly.
No benefit if the above is implemented.
No, but it is actually a bug that it isn't implemented (which has now
been filed).
3. Make the PHP module use the SELECT EXECUTE() syntax with user vars for
prepared statements. I'm not sure if you can inject using that, will have
to play, if you can it shouldn't be too hard to make a safer version of it.
What's the benefit over my suggestion?
It is server side so in theory some optimisations can be made.
Basically you will never be entirely safe in any language unless your inputs
are sanitized correctly (as Bobby Tables' mother will tell you), and with
languages such as PHP having a low entry bar (not a bad thing) unfortunately
there are a lot of very vulnerable apps out there.
I blame the developer that only added mysql_query() without adding a
proper safe API.
There is no point trying to blame anyone here, it doesn't get anyone
anywhere and is not healthy. And you are talking about things that
happened many years ago, likely way before SQL injection attacks even
existed.
It really isn't that hard to solve this.
No, I'm not saying it is. But what matters is solving it in the right
way for drizzle, PHP and the community.
Who's responsible for the Drizzle PHP connector?
At the moment, me. (well, the community too).
Kind Regards
--
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
