[OWASP_PHPSEC] Interview Question

rahul chaudhary rahul300chaudhary400 at gmail.com
Sun Jul 28 05:51:59 UTC 2013


After reading this, the code that I have posted here:
http://codepad.org/StiiHUUe

obviously has flaws in it. Becuse then one can write a config file and
present different DBTable to insert garbage value in that DBTable.
*However, I am not sure what to make out of this. Since, the libraries will
be used by developers, should we protect this particular code ???*

*Note:* Please first see and understand the code posted here before
answering.


On Fri, Jul 26, 2013 at 1:42 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> Its probably because they read my explanations the wrong way :D
> There are two scenarios where prepared statements (aka parameterized
> queries) are unsafe, not considering human errors (i.e we are only talking
> about proper usages of them, not when you don't use them properly):
> 1. Dynamic Queries:
> you have to use table and field names here, by concatenation. Best bet is
> to have them start as TaintedString, then WHITELIST using a callback or an
> array to the tainted class.
> 2. Non-supported clauses:
> for example, LIMIT BY in MySQL 5-, can not accept parameters and requires
> numbers. In these scenarios, type-casting will do the trick.
> -Abbas
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Mordad 4, 1392, at 12:44 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> In my interview process I was asked one question, how can you improperly
> use parameterized queries. I was not able to answer this. Later they told
> me that by concatenation, there is problem. But I didn't understood this
> fully. Can someone explain this ?
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130728/75524784/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list