(no subject)

Date: 2005-11-09 03:33 pm (UTC)
From: [identity profile] petdance.livejournal.com
Never mind scrubbing input, they should be using bind variables. For example, if they're using Perl, instead of
$dbh->do("insert into visitor (name) values ('$field');"

they should be using

my $sth = $dbh->prepare( "insert into visitor(name) values (?)");
$sth->execute($name);

That way, it because $name is never interpolated into a SQL string, it doesn't matter what's in $name. PHP has support for bind variables as well.
This account has disabled anonymous posting.
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting
 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

substitute: (Default)
substitute

May 2009

S M T W T F S
      1 2
3 456 78 9
10111213141516
17181920212223
24252627282930
31      

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Top of page