Hi Sigurd,
On Mon, 2006-10-16 at 10:36 +0200, Sigurd Nes wrote:
> Removing ";" from sql statements would protect from SQL injection - right ?
> Could this be performed by the datacleaner (clean variables fetched by
> get_var())?
This could be done, but I think there are some legitimate uses of ; in
strings, it is valid English punctuation. I think it is better that
developers properly escape/caste/sanitize/validate _all_ values before
they are sent to the db, as they are the ones who know what values
should be sent to the db.
Cheers
Dave
--
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
e [EMAIL PROTECTED]
w phpgroupware.org
j [EMAIL PROTECTED]
sip [EMAIL PROTECTED]
_ ____ __ __
_ __ | |__ _ __ / ___|_ __ ___ _ _ _ _\ \ / /_ _ _ __ ___
| '_ \| '_ \| '_ \| | _| '__/ _ \| | | | '_ \ \ /\ / / _` | '__/ _ \
| |_) | | | | |_) | |_| | | | (_) | |_| | |_) \ V V / (_| | | | __/
| .__/|_| |_| .__/ \____|_| \___/ \__,_| .__/ \_/\_/ \__,_|_| \___|
|_| |_| |_|Web based collaboration platform
_______________________________________________
phpGroupWare-developers mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
