Python or PHP?
John Bokma
john at castleamber.com
Mon Apr 25 16:41:21 EDT 2005
Steve Holden wrote:
> John Bokma wrote:
>> Alan Little wrote:
>>
>>
>>>Steve Holden <steve at holdenweb.com> wrote:
>>>
>>>
>>>>Your statement then becomes
>>>>
>>>>select * from foo where bar=1; drop table foo
>>>>
>>>>which is clearly not such a good idea.
>>>
>>>I'm sure Steve is very well aware of this and was just providing a
>>>simple and obvious example, nevertheless it might be worth pointing
>>>out that anyody who connects their web application to their database
>>>as a user that has DROP TABLE privileges, would clearly be in need of
>>>a lot more help on basic security concepts than just advice on
>>>choosing a programming language.
>>
>>
>> True. But how does it stop someone who uses inserts? (I exclude the
>> case inserts are not needed).
>>
>>
>>>This goes back to the point somebody made earlier on in the thread -
>>>many web applications can be implemented as fairly simple wrappers
>>>around properly designed databases. "Properly designed" includes
>>>giving some thought to table ownership and privileges.
>>
>>
>> One should stop SQL injection always, no matter if the database takes
>> care of it or not. There is no excuse (like, yeah, but I set up the
>> privileges right) for allowing SQL injection, ever.
>>
> Correct. If a thing can't go wrong, it won't.
>
> In security several levels of defense are better than just one, so
> database authorization and SQL injection removal should be considered
> complimentary techniques of a "belt and braces" (US: "belt and
> suspenders") approach.
Yup, would say different, I normally set up the privileges before I even
start to program.
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
More information about the Python-list
mailing list