On Sun, Sep 05, 2010 at 04:00:26PM +0800, ApOgEE wrote: > Salam, > > On Sun, Sep 5, 2010 at 2:29 PM, Muzamir Mokhtar <[email protected]>wrote: > > > Salam, > > > > I have setup mod_security in my httpd.
If I were you, I would not trust anything with this name. Security is a tricky and complicated issue, and pretty much by definition, it is not a software component you can just install. > > sanitize your input to prevent SQL injection Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's a large mistake. You are going to screw yourself over if you imagine that any level of "sanitizing inputs" will actually protect you from attackers. The vast majority of SQL injection attacks come from one single serious strategic mistake on the defender's part, namely taking untrusted input and creating executable code out of it by string concatenation. You'd fire any programmer that attempted such a thing with Java, Python, PHP, or Perl code, and you should be firing people who attempt it with SQL code. You're going to have to put in standards and enforce them, slipping ship dates as needed, or you might as well just not have standards of any kind and hand your site over to whomever wants it. > http://www.owasp.org/index.php/Guide_to_SQL_Injection That guide is at best misleading, and at worst an actual attack. If I were an attacker, I'd *love* for people to imagine that if they just picked some magical tool--probably one I had a hand in making--that they'd just be safe. I'll be editing this for reality as soon as I get permission :) Cheers, David. -- David Fetter <[email protected]> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: [email protected] iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
