Python or PHP?
John Bokma
john at castleamber.com
Mon Apr 25 15:33:54 EDT 2005
Alan Little wrote:
> Steve Holden <steve at holdenweb.com> wrote:
>
>>Your statement then becomes
>>
>>select * from foo where bar=1; drop table foo
>>
>>which is clearly not such a good idea.
>
> I'm sure Steve is very well aware of this and was just providing a
> simple and obvious example, nevertheless it might be worth pointing
> out that anyody who connects their web application to their database
> as a user that has DROP TABLE privileges, would clearly be in need of
> a lot more help on basic security concepts than just advice on
> choosing a programming language.
True. But how does it stop someone who uses inserts? (I exclude the case
inserts are not needed).
> This goes back to the point somebody made earlier on in the thread -
> many web applications can be implemented as fairly simple wrappers
> around properly designed databases. "Properly designed" includes
> giving some thought to table ownership and privileges.
One should stop SQL injection always, no matter if the database takes care
of it or not. There is no excuse (like, yeah, but I set up the privileges
right) for allowing SQL injection, ever.
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
More information about the Python-list
mailing list