DaWei

To whom? My grandmother, certainly, but no really competent SQL user.

__________________
Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code.
Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Darkhack

Since when do users have to be competent!? :p

Don't believe me? Here is Proof

DaWei

I didn't read your link because it doesn't matter. You are saying SQL Injection is unknown. You are also saying it's a problem. It can't be both. If you were to do a cursory search on SQL injection, you would be quite inundated. The fact is that you are letting your personal discoveries tell you that they are the discoveries of the rest of the world, as well. I won't say it isn't a normal tendency, but you need to consider it somewhat before you mount the pulpit and preach to the choir.

__________________
Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code.
Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Darkhack

DaWei... at this point I am ready to believe in anything. When you literally stand in front of a programmer who claims to have years of expierence in "C-Pound", you'll start to understand where I am coming from. No this, didn't happen to me, but I read about it on a forum once.

Although when I joined my school's website staff was about the time they started rewriting the entire site. Mostly because the administration wanted more content like videos and pictures to go along with our website as well as a new interface, so we decided to rewrite the whole thing. Well, just a few days ago I had to put up a "Snow Day" graphic on the old site, because our new one isn't completed yet. I've never worked with the old code before because I've never needed to, but it was HORRIBLE. It took me nearly an hour just to update that one graphic. Files that wern't even being used were left on the server. They were basically exact copies of the final version except for a few small changes so I basically made the graphics change in 3 different files before I found the one that was actually being used. Hundreds upon hundreds of lines of code were commented out and left that way in the final version. API files were scattered everywhere with no sense of organization and proper use of CSS?? HA! forget that, lets create 20 different CSS files with only one setting in each of them and only use them once. But guess what? Our old site still works like a charm.

Any GOOD programmer knows the security risks such as SQL-Injection and Buffer Overflows, but how many GOOD programmers are there??? Less than you would think and yes I too would label buffer overflows as a lesser known risk. This doesn't just apply to programmers either. Average users will make the dumbest of passwords all the time. They'll use their birthday or the name of their dog, or whatever.

Do a majority of people in general know about these risks? Yes they do. But exactly how large is a majority? Many times it swings as low as 60/40 and SQL-Injection fits in that category.

Mocker

Darhack.. i think you mean any mediocre PROFESSIONAL PROGRAMMER knows about mysql injection. The problem is usually with hobbyists programmers who make little random scripts and figure "the script just reads a random quote, I dont need to worry about verifying input" or just havent read far enough to find out about it. Because with the different injection attacsk (mysql, variable, input .. etc etc) it doesn't really matter what your program is supposed to do, a simple script can be hacked and used to take over your entire mysql or home directoy account.

I see so many of these types of things in my work as a tech for a bunch of webhosting companies. Grrrr..

I just wrote a long long post then accidenlty closed the window so no long explanation from me

Just.. you did not mention register_globals which is a HUGE security risk that people still seem to ignore.

Basically.. DO NOT USE register_globals and make sure they are disabled. If your server has them enabled you may be able to turn them off for your account in your root .htaccess file by adding the line
php_value register_globals OFF

__________________
#programmingforums relay - http://thegupstudio.com/cgi-bin/pforelay.cgi
freelance scripts - http://ryanguthrie.com/index.html

DaWei

Darkhack, I don't mean to get you off on a rant. I suppose your means of communication is just lacking. The fact that many programmers or web designers are not up to your standards is a non-sequitur when applied to whether or not SQL injection is an "unknown" thing. If your definition of "unknown" is that less than an absolute majority know about it, well, okay, but I think that leaves you in a minority, definition-wise. Certainly, all the ranting about poor use of graphics or CSS or whatever has nothing to do the community's awareness of SQL injection.

__________________
Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code.
Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Arevos

Only if you don't quote the string, or don't backslash quotation marks, which you should be doing, anyway.

Ooble

What if it's an integer you're passing? Yes, you can quote integers in SQL, but it doesn't feel right.

__________________
Me :: You :: Them