user input question

[Kristian Hermansen]

On 4/3/07, Bill Horne <bill at horne.net> wrote:
>    1. Create an SQL user with only Select permission, and use that for
>       all web-generated queries.

Yes, and additionally, possibly make it a VIEW rather than an actual
table entry.  That way you limit the damage if someone finds another
way in...

>    2. Filter SQL delimiters from all POST data

Again, this is bad practice.  Never filter specific inputs.  Always
whitelist.  You could do more, but how secure do you really need it to
be.  You aren't storing SSNs I hope :-)
-- 
Kristian Hermansen

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.