Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user input question



On 4/3/07, Bill Horne <bill at horne.net> wrote:
>    1. Create an SQL user with only Select permission, and use that for
>       all web-generated queries.

Yes, and additionally, possibly make it a VIEW rather than an actual
table entry.  That way you limit the damage if someone finds another
way in...

>    2. Filter SQL delimiters from all POST data

Again, this is bad practice.  Never filter specific inputs.  Always
whitelist.  You could do more, but how secure do you really need it to
be.  You aren't storing SSNs I hope :-)
-- 
Kristian Hermansen

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org