Subject: | No proper DOC blocks, length of... |
Summary: | Package rating comment |
Messages: | 3 |
Author: | master spasic |
Date: | 2009-09-02 16:15:06 |
Update: | 2009-09-27 07:46:16 |
|
|
|
master spasic rated this package as follows:
Utility: | Insufficient |
Consistency: | Sufficient |
Documentation: | Insufficient |
Examples: | Insufficient |
|
master spasic - 2009-09-02 16:15:06
No proper DOC blocks, length of email field in database (varchar(200)) is wrong since maximal length of email is 254 characters (http://tools.ietf.org/html/rfc5321#section-4.5.3.1), user input is not filtered e.g. script is vulnerable to SQL injection (http://en.wikipedia.org/wiki/SQL_injection), no session security is implemented and script is vulnerable to session high-jacking (http://en.wikipedia.org/wiki/Session_hijacking).
oran - 2009-09-02 16:27:10 - In reply to message 1 from master spasic
hi,
thanks for the replays
DB - will be change
SQL injection- this is what PDO bind_param all about doesnt?
from my understand escaping not needed tell me if i wrong
session : i`ll secure like you suggest
thanks
oran
master spasic - 2009-09-27 07:46:16 - In reply to message 2 from oran
Prepared statements would prevent the first order injection on that statement. However if you use unfiltered data in dynamic SQL anywhere else your application would be still subject to the second order sql injection.
Please refer to: www.ngssoftware.com/papers/SecondOrderCodeInjection.pdf and www.ngssoftware.com/papers/advanced_sql_injection.pdf
User input ultimately MUST be filtered. No exceptions allowed. :)
Sorry about late reply.
|