Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79022 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28960 invoked from network); 20 Nov 2014 07:50:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Nov 2014 07:50:53 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6 Received: from [217.147.176.214] ([217.147.176.214:46450] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DF/62-14967-55D9D645 for ; Thu, 20 Nov 2014 02:50:48 -0500 Received: (qmail 23163 invoked by uid 89); 20 Nov 2014 07:50:43 -0000 Received: by simscan 1.3.1 ppid: 23157, pid: 23160, t: 0.0591s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.8?) (lester@rainbowdigitalmedia.org.uk@86.177.82.94) by mail4.serversure.net with ESMTPA; 20 Nov 2014 07:50:43 -0000 Message-ID: <546D9D52.8080702@lsces.co.uk> Date: Thu, 20 Nov 2014 07:50:42 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: internals@lists.php.net References: <66B7B28C-2651-4A71-AC2A-55D4C7BB3DDC@ajf.me> <546D43B3.60708@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Safe Casting Functions From: lester@lsces.co.uk (Lester Caine) On 20/11/14 07:29, Yasuo Ohgaki wrote: > $id = $_GET['id']; > pg_qeury("SELECT * FROM some_table WHERE id = $id;"); Anybody using that method of passing parameters to a database needs much better education. This particular proposal just adds yet another 'how not to' rather than actually fixing the underlying security problems. Tidy up what exists - don't create yet another set of functions that can still be abused. -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk