Re^3: is this mentality safe?

No automatic safety feature is a substitute for thinking.

If CGI param()s are tainted (and I believe they are) and you're using the bind params, then I think SQL injection is the least of your worries. It will probably complain if you don't think to check the tainted stuff. And if you test poorly and untaint and it gets passed to DBI ... it probably won't matter because the DBI quoting and bind params should take care of it automatically. I don't believe javascript can change the problem space with respect to SQL injection.

However taint and DBI probably won't help with things like cross site scripting and the remote root hole on some random service you didn't know you had running (if applicable).

-Paul

Comment on Re^3: is this mentality safe?

Replies are listed 'Best First'.
Re^4: is this mentality safe? by Anonymous Monk on May 18, 2007 at 05:09 UTC
...further to testing user input/tainted_values: - use regexes to include the most sane data rather than excluding illegal characters etc. - be especially vigilant about any email generating script/form, as these are easily hi-jacked by script kiddies to deliver their spam - all the other CGI safety precautions apply: e.g. don't read/write anywhere else except safe directories, remove any path entries from your environment, call any binaries with full pathname, etc.	[reply]

Replies are listed 'Best First'.

Re^4: is this mentality safe?
by Anonymous Monk on May 18, 2007 at 05:09 UTC

[reply]