[ale] Seven Deadly Sins - PHP

Randall Janinda rjaninda at tqlabs.com
Tue Jun 10 22:12:15 EDT 2003




--snip--
I couldn't quite tell from the context whether this was your own code,
or 
someone else's code which you're using to support your cautions.
Assuming 
the former - I've only taken a very brief look, but it seems as though
your 
config file with your login and password for the database is sitting in
a 
web-accessible location.. this is clearly a no-no.  You also don't seem
to 
be escaping your variables before passing them to mysql, though I'm not 
sure off-hand whether DB.php does this for you, or if you have quotes
being 
"automagically escaped" by PHP.
--snip--

Sorry, that's what I get for rushing through my email. These files on
that site are my own. However, they are not the actual ones in use at
myroads.net (meaning the passwords, etc are not valid) they are simply
copies. I ALWAYS keep my .conf files outside the webspace and use
include(), require() and include_path as appropriate. These files were
placed there for others to download and toy with. I guess it's really
impossible to see the bigger picture with just the pieces I have
provided (for example, I do escape the mysql calls as they are generated
and parsed throughout the app). For that I apologize and will try to be
more complete in my future arguments.

Thanks,

Randy






_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list