[nycphp-talk] Embrace Dynamic PHP
Jake McGraw
jmcgraw1 at gmail.com
Fri Apr 25 09:06:54 EDT 2008
On Fri, Apr 25, 2008 at 8:49 AM, Daniel Convissor
<danielc at analysisandsolutions.com> wrote:
> On Thu, Apr 24, 2008 at 07:34:50PM -0400, Austin Smith wrote:
>
> > Further, I've long wanted to write a very simple set of flexible helper
> > functions for PHP newbies so they don't blow their brains out with things
> > like mysql_query("insert into blog_entries values(0, "{$_POST['title']}",
> > "{$_POST['body']}");
>
> Fortunately, you haven't done so yet and thereby introduce the world to
> another SQL Injection attack and path disclosure vulnerability. :) You
> have to escape input into the query and ensure $_POST variables actually
> exist before using them to avoid PHP notices.
>
> Of course, you can say you were just posting short hand. But you were
> being pretty specific in your example.
>
> --Dan
Not necessarily true, secure string interpolation is coming soon:
http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html
- jake
More information about the talk
mailing list