Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:3916 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18927 invoked from network); 14 Aug 2003 08:45:04 -0000 Received: from unknown (HELO secure.thebrainroom.com) (213.239.42.171) by pb1.pair.com with SMTP; 14 Aug 2003 08:45:04 -0000 Received: from zaneeb.brainnet.i (IDENT:root@brain.dial.nildram.co.uk [195.149.29.154]) by secure.thebrainroom.com (8.9.3/8.9.3) with ESMTP id JAA12176; Thu, 14 Aug 2003 09:45:02 +0100 Received: from zaneeb.brainnet.i (IDENT:wez@zaneeb.brainnet.i [127.0.0.1]) by zaneeb.brainnet.i (8.11.6/8.11.6) with ESMTP id h7E8j3L03411; Thu, 14 Aug 2003 09:45:04 +0100 Date: Thu, 14 Aug 2003 09:45:03 +0100 (BST) X-X-Sender: wez@zaneeb.brainnet.i To: Derick Rethans cc: moshe doron , internals@lists.php.net In-Reply-To: Message-ID: References: <200308071447.03285.ilia@prohost.org> <20030814072704.49157.qmail@pb1.pair.com> <20030814074156.63525.qmail@pb1.pair.com> <79032196.20030814095035@post.rwth-aachen.de> <20030814080011.75572.qmail@pb1.pair.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [PHP-DEV] Re: PHP 4.3.3RC3 Released From: wez@thebrainroom.com (Wez Furlong) +1. This is no bug in PHP, it is not a security flaw in PHP; it is a problem in your code. PHP shouldn't police your lax security because you can't be bothered with it. Can we drop this thread now? :-) --Wez. On Thu, 14 Aug 2003, Derick Rethans wrote: > On Thu, 14 Aug 2003, moshe doron wrote: > > that's the point. if the cracker can change only the end of the query, it's > > not so usefull for him (he can maximum get other id) but if he can chain > > totally new query, he may or may no bother changing your sql statements.... > > But it's a *user* problem (the developer), not a PHP problem. PHP should > not break nice functionality in an extension (such as chaining queries) > because of people too lazy to verify user input.