Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:3915
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5570 invoked from network); 14 Aug 2003 08:31:44 -0000
Received: from unknown (HELO jdi.jdimedia.nl) (212.204.192.51)
  by pb1.pair.com with SMTP; 14 Aug 2003 08:31:44 -0000
Received: from jdi.jdimedia.nl (jdi.jdimedia.nl [212.204.192.51])
	by jdi.jdimedia.nl (8.12.4/8.12.4) with ESMTP id h7E8VigT019585;
	Thu, 14 Aug 2003 10:31:44 +0200
Date: Thu, 14 Aug 2003 10:31:44 +0200 (CEST)
X-X-Sender: derick@jdi.jdimedia.nl
To: moshe doron <mosdoron@netvision.net.il>
cc: internals@lists.php.net
In-Reply-To: <20030814080011.75572.qmail@pb1.pair.com>
Message-ID: <Pine.LNX.4.53.0308141030510.18970@jdi.jdimedia.nl>
References: <200308071447.03285.ilia@prohost.org> <20030814072704.49157.qmail@pb1.pair.com>
 <Pine.LNX.4.53.0308140932320.12247@jdi.jdimedia.nl> <20030814074156.63525.qmail@pb1.pair.com>
 <79032196.20030814095035@post.rwth-aachen.de> <20030814080011.75572.qmail@pb1.pair.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=Iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Subject: Re: [PHP-DEV] Re: PHP 4.3.3RC3 Released
From: derick@php.net (Derick Rethans)

On Thu, 14 Aug 2003, moshe doron wrote:

>=20
> "Marcus B=F6Rger" <marcus.boerger@t-online.de> wrote in message
> > md> http://www.phpbuilder.com/mail/php-developer-list/2003022/0062.php
> >
> > Bullshit.
> >
> > If the cracker can change one of your sql statements he already has acc=
ess to
> > your machine. In that case he wouldn't bother changing your sql stateme=
nts.
> >
>=20
> that's the point. if the cracker can change only the end of the query, it=
's
> not so usefull for him (he can maximum get other id) but if he can chain
> totally new query, he may or may no bother changing your sql statements..=
=2E.

But it's a *user* problem (the developer), not a PHP problem. PHP should=20
not break nice functionality in an extension (such as chaining queries)=20
because of people too lazy to verify user input.

Derick

--=20
"Interpreting what the GPL actually means is a job best left to those
                    that read the future by examining animal entrails."
-------------------------------------------------------------------------
 Derick Rethans                                 http://derickrethans.nl/=20
 International PHP Magazine                          http://php-mag.net/
-------------------------------------------------------------------------