Timeline for How can I prevent SQL injection in PHP?
Current License: CC BY-SA 3.0
9 events
when toggle format | what | by | license | comment | |
---|---|---|---|---|---|
Oct 30, 2020 at 16:31 | comment | added | andrew pate | As an aside php has command injection vunerabilities to worth considering. One way round this is to block requests containing special characters, or that looks unduely long at the loadbalancer/webserver before they get to PHP... gracefulsecurity.com/… owasp.org/www-community/vulnerabilities/PHP_Object_Injection | |
Jul 7, 2017 at 14:55 | history | made wiki | Post Made Community Wiki by animuson♦ | ||
Jan 4, 2017 at 20:48 | comment | added | Anthony Rutledge | Ah, the security exception to the do it yourself corollary. See, I tend to be willing to risk it all and go for broke. :-) Kidding. With enough time, people can learn to make a pretty darn secure application. Too many people are in a rush. They throw their hands up and assume that the frameworks are safer. After all, they do not have enough time to test and figure things out. Moreover, security is a field that requires dedicated study. It is not something mere programmers know in depth by virtue of understanding algorithms and design patterns. | |
Jan 4, 2017 at 20:35 | comment | added | Johannes Fahrenkrug | @AnthonyRutledge I agree! I think the use-case makes a difference too: Am I building a photo gallery for my personal homepage or am I building an online banking web application? In the latter case it's very important to understand the details of security and how a framework that I am using is addressing those. | |
Jan 4, 2017 at 19:30 | comment | added | Anthony Rutledge | Here. Here. Good points. However, would you agree that many people can study and learn to adopt an MVC system, but not everyone can reproduce it by hand (controllers and server). One can go too far with this point. Do I need to understand my microwave before I heat up my peanut butter pecan cookies my girl friend made me? ;-) | |
Jan 4, 2017 at 18:38 | comment | added | Johannes Fahrenkrug | @AnthonyRutledge You are absolutely correct. It is very important to understand what is going on and why. However, the chance that a true-and-tried and actively used and developed framework has run into and solved a lot of issues and patched a lot of security holes already is pretty high. It's a good idea to look at the source to get a feel for the code quality. If it's an untested mess it's probably not secure. | |
Jan 4, 2017 at 16:32 | comment | added | Anthony Rutledge | I think your first paragraph is important. Understanding is key. Also, everyone is not working for a company. For a large swath of people, frameworks actually go against the idea of understanding. Getting intimate with the fundamentals may not be valued while working under a deadline, but the do-it-yourselfers out there enjoy getting their hands dirty. Framework developers are not so privileged that everyone else must bow and assume they never make mistakes. The power to make decisions is still important. Who is to say that my framework won't displace some other scheme in the future? | |
Jul 16, 2014 at 2:05 | history | edited | Peter Mortensen | CC BY-SA 3.0 |
Expansion.
|
Jul 3, 2012 at 10:14 | history | answered | Johannes Fahrenkrug | CC BY-SA 3.0 |