Thread: More PHP DB abstraction layer stuff
Has anyone seen/used this: http://www.zend.com/codex.php?CID=324 It looks fairly inoccuous. It also claims to not load an entire dataset into memory, i.e. uses cursors but I don't see where they're used, unless its inherent in the PHP Pg interface. One thing that always gets me is why people think quoting the ' in a string is a security feature when they don't allow for someone giving \' in the string. On the other hand I'm never sure how to protect against such 'odd number of escapes' attacks. Anyone got any clues? Does PQescape do it? -- Nigel Andrews
At 02:44 AM 1/25/03 +1030, Justin Clift wrote: >If it's any help, and approach that I feel is safe is to use the PHP >functions rawurlencode() on all data as soon as it hits the page, then use >that encoded data everywhere in the PHP code (including for storage in the >database), and use rawurldecode() if/when it needs to be spat out to a browser. > >The only real disadvantage is that column widths for data storage need to >be wider, but for databases without huge resource requirements it's not >real noticeable, and the data is pretty safe in encoded form. I prefer an approach where filters are kept separate. You have different input filters so that your program can deal with each different input properly. I doubt your program can do much with rawurlencoded cgi parameters without decoding them. You then have different output filters so the different programs (and contexts) your program sends output to can deal with the output. Using the same filter for everything seems to be a popular habit in the PHP community. Magic quotes etc. That sort of thing tends to produce the "backslash everywhere" syndrome, corrupting data needlessly. Personally it gives me a bad impression of the thought that went into the design of many PHP "features". Cheerio, Link.
"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes: > One thing that always gets me is why people think quoting the ' in a string is > a security feature when they don't allow for someone giving \' in the > string. On the other hand I'm never sure how to protect against such 'odd > number of escapes' attacks. Anyone got any clues? Does PQescape do it? That just means you have to escape \ as well as '. But the best way to deal with this is to use placeholders and prepared queries and provide the data out of band. This completely sidesteps the issue and guarantees you can't get it wrong by mistake ever. Mixing user-provided data with program code is a recipe for security holes. -- greg