DCPM: CGI and Database sanitising
Matthew Browning
mb at matthewb.org
Thu Oct 16 18:54:04 CDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 16 October 2003 20:41, Simon Waters wrote:
> What ways do people use to sanitize data from tainted CGI data, for
> use in database input, or do you al studiously avoid creating SQL and
> only use place holders and other such techniques?
>
That's right.
Use of placeholders protects you from this kind of thing. We are also
religiously checking untrusted user input with regexes. There is also
this CGI::Untaint module:
http://search.cpan.org/~tmtm/CGI-Untaint-1.00/lib/CGI/Untaint.pm
...and finally, I'm not giving apache|www|nobody (whatever you call
him) rights he doesn't need.
> Urm when are we meeting, someone name a day and a pub quickly?
Thursday 30 October, in the evening, Exeter, pub TBC. (Prefer Friday
but suspect town will be crawling with students being spooky).
Last Thursday of the month henceforth.
- --
http://matthewb.org/public_key.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/jy+ky5o0lRFL2ooRAj+tAJ4+lvAUwk3v/68c9I+ENsuQCHIxhwCfTXEp
EXY9hoyNLuZaOjYO06/iw6Q=
=zkDQ
-----END PGP SIGNATURE-----
More information about the Devoncornwall-pm
mailing list