> *Always* validate your data. If you validate your data and never trust > anything which comes from the client side of the connection, your > problem goes away. I mean, you wouldn't pass user data to exec() > or fopen() without some serious checking, would you? ;) > > Sure, PHP could try to prevent every possible problem from cropping up, > but that would make the language pretty useless. It's up to the coder > to not program security flaws. > > > -- > Torben Wilson <[EMAIL PROTECTED]> > http://www.thebuttlesschaps.com > http://www.hybrid17.com > http://www.inflatableeye.com > +1.604.709.0506
I understand you try to 'protect' your own product, but you have to stay a bit realistic about some things. Ofcourse I check the input. But you know... there's absolutely nothing wrong with allowing quotes to be stored in the database. It's just that awful 'feature' that makes it rather dangerous to do. If that feature/bug was documented _anywhere_ it would still not be good, but at least someone would know that PHP does this. But no... it's not documented, not anywhere! You can't check user input on stuff you don't know it can harm anything. Like I said... quotes are very normal to be allowed in the database. It would be a good thing if you guys do something of: 1. Good rid of the bug(/feature) right a way or 2. Document it clearly. Eg. in the documentation of odbc_execute(). -- * R&zE: -- »»»»»»»»»»»»»»»»»»»»»»»» -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- Netherlands -- -- http://www.datalink.nl -- «««««««««««««««««««««««« -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
