[OWASP_PHPSEC] Interview Question

Abbas Naderi abiusx at owasp.org
Fri Jul 26 17:42:49 UTC 2013


Its probably because they read my explanations the wrong way :D
There are two scenarios where prepared statements (aka parameterized queries) are unsafe, not considering human errors (i.e we are only talking about proper usages of them, not when you don't use them properly):
1. Dynamic Queries:
you have to use table and field names here, by concatenation. Best bet is to have them start as TaintedString, then WHITELIST using a callback or an array to the tainted class.
2. Non-supported clauses:
for example, LIMIT BY in MySQL 5-, can not accept parameters and requires numbers. In these scenarios, type-casting will do the trick.
-Abbas 
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Mordad 4, 1392, at 12:44 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> In my interview process I was asked one question, how can you improperly use parameterized queries. I was not able to answer this. Later they told me that by concatenation, there is problem. But I didn't understood this fully. Can someone explain this ?
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130726/fb7fbddc/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list