Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59720
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90429 invoked from network); 11 Apr 2012 06:49:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 06:49:57 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:65471] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/B4-18401-499258F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 02:49:57 -0400
Received: by ggmb2 with SMTP id b2so337630ggm.29
        for <internals@lists.php.net>; Tue, 10 Apr 2012 23:49:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=bL2Gcvh0rQGLnQZWzO6Pd8WA5PkPZ37ht+ktbmjw47c=;
        b=jpCArwMzvKJvJxAT2xG73Vf0b85JFrsOMZpNxi9A2LkQ//U6SSg9nPXybTC8BdgVXe
         x+jUF8cdyrfWG7awEo9l5in0o1m04TIceYddsorSV8/KUf3B8Tez4JLtHLwmySwm0wyh
         rnMFk/T/rXTCAQ9M26h2PigYJ/NJ9KPQH5cwtkWpq55WqrJkx5HjCa7ZIdiOdB+MoRz/
         q3qSxEP+T+OCDwb/JXDPH7i3p56/yDQ+AZqqjRY4VNcih2yPhpUGsR0EODXSY3W4vMhv
         Xyvvl+fz6kAU0W8DV7+Hs751vo/N8K2DRb0+uxcMYIO0wvLR+t1iXye1GB5e4aDhdUMb
         hTKQ==
Received: by 10.236.72.133 with SMTP id t5mr11785630yhd.94.1334126994203; Tue,
 10 Apr 2012 23:49:54 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Tue, 10 Apr 2012 23:49:13 -0700 (PDT)
In-Reply-To: <CAGa2bXbXdNcfHX_dM2EVVz_2JtS4cc+8pxneSLAd382TuQUg-w@mail.gmail.com>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
 <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
 <CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com>
 <A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan>
 <CAGa2bXZKfQ+HqOucwOnBH7gV84hpdxZb5qNY3t3ThF_zMKSGHw@mail.gmail.com>
 <4F850D06.10701@sugarcrm.com> <CAGa2bXZWrRh8RdMtKK_2_U_XmByC-O6hGRPrJyW5KwvE0CAK-w@mail.gmail.com>
 <4F8515AF.8060706@sugarcrm.com> <CAGa2bXZWudQeRm5h2eENGmgQDPfOqEmijB9-vPAvfKXLCfDiLw@mail.gmail.com>
 <4F851FE4.7000706@sugarcrm.com> <CAGa2bXbXdNcfHX_dM2EVVz_2JtS4cc+8pxneSLAd382TuQUg-w@mail.gmail.com>
Date: Wed, 11 Apr 2012 15:49:13 +0900
X-Google-Sender-Auth: sJi6tv-6olsDSiZhl6iWoxeO-GQ
Message-ID: <CAGa2bXZgDdkMof6rb9+foTm66Xn-SjzOsVAgQVw+eamYZySEUQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: John Crenshaw <johncrenshaw@priacta.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Oops,

There are several language mistakes in previous mail, but this should be noted.

Prepared query is not a perfect SQL injection countermeasure as it
never escape nor
parameterize identifiers/SQL literals.

should be

Prepared query is not a perfect SQL injection countermeasure as it
never escape nor
parameterize identifiers/SQL statements (e.g. ORDER BY ASC/DESC, etc).

I've seen ASC/DESC as a parameter in a prepared query.
It should be validated if they are user inputs.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net



2012/4/11 Yasuo Ohgaki <yohgaki@ohgaki.net>:
> Prepared query is not a perfect
> SQL injection countermeasure as it never escape nor
> parameterize identifiers/SQL literals.