SELECT * FROM table WHERE row=$search
Silly you. See, what you should have done is escape the search parameter. To do that, you. . . I'm just kidding. This isn't really a blog post about how to escape quotes in SQL, or about how prepared statements are good. However, it does seem to be some sort of rite of passage that every technology-related blog must at some point post about the dangers of SQL injection, and when they do so they must pretend like they're breaking the news for the first time. We've known about SQL injection since about ten seconds after somebody exploited it the first time. When I said you "may have made this mistake in the past", by "past" I meant at least 5 years ago, and yet I constantly stumble across more and more blog posts warning about the dangers of taking raw user input and feeding it directly to your database. Can we all just agree as programmers that we all now know about this, and there's no need to continue informing each other?
No comments:
Post a Comment