Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27424 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35189 invoked by uid 1010); 13 Jan 2007 16:05:43 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 35174 invoked from network); 13 Jan 2007 16:05:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Jan 2007 16:05:43 -0000 Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 212.112.227.169 cause and error) X-PHP-List-Original-Sender: mls@pooteeweet.org X-Host-Fingerprint: 212.112.227.169 ipx11223.ipxserver.de Linux 2.5 (sometimes 2.4) (4) Received: from [212.112.227.169] ([212.112.227.169:34953] helo=ipx11223.ipxserver.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3A/E2-14818-75309A54 for ; Sat, 13 Jan 2007 11:05:43 -0500 Received: from localhost (localhost [127.0.0.1]) by ipx11223.ipxserver.de (Postfix) with ESMTP id C93FCDF00D6; Sat, 13 Jan 2007 17:05:40 +0100 (CET) Received: from ipx11223.ipxserver.de ([127.0.0.1]) by localhost (flottensignalgeber [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30392-08; Sat, 13 Jan 2007 17:05:38 +0100 (CET) Received: from [127.0.0.1] (13.83.76.83.cust.bluewin.ch [83.76.83.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ipx11223.ipxserver.de (Postfix) with ESMTP id 82924DF010D; Sat, 13 Jan 2007 17:05:38 +0100 (CET) Message-ID: <45A90352.1000004@pooteeweet.org> Date: Sat, 13 Jan 2007 17:05:38 +0100 User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Stefan Esser Cc: info@ch2o.info, "internals@lists.php.net" References: <45A8FC49.7050909@hardened-php.net> <45A8FF84.7000305@pooteeweet.org> <45A90249.7070802@hardened-php.net> In-Reply-To: <45A90249.7070802@hardened-php.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by somedaemon at backendmedia.com Subject: Re: [PHP-DEV] Comments on PHP security From: mls@pooteeweet.org (Lukas Kahwe Smith) Stefan Esser wrote: > Hello Lukas, > >> Maybe I am missing something. If you are talking about dynamic query >> generation in stored routines, then I would think that people who read >> the advice over dynamic query generation for PHP, that they would >> hopefully also apply those practices to when they are writing/using >> stored routines. Also DBA's in general are not all that fond of >> dynamic query generation in stored routines. > Well in a team it is quite likely that people writing PHP applications > are not those writing Stored Procedures for the SQL Databases. At least > all big projects I have seen have their own team for complicated SQL > Queries. Additionally your statement assumes that people are reading > documentation ;) Well if the people on your team writing the stored procedures do not know about how to protect against SQL injection how is that a PHP issue? Its a common issue that all types of programmers have to learn. The key lesson here is that again you need to remember that switching context means that you need to take care about the security implications of this and its best if both sides are aware of this and alert eachother of potential issues. regards, Lukas