I have some experience testing for injection vulnerabilities, but I don't feel as strong when it comes to protecting my own applications. Part of my doubt might come from not being able to find an advanced, comprehensive guide on the subject. I want to be able to assure my clients that any app I develop is 100% secure. Easier said than done, I'm sure.
My problem is that I have a hard time relying on code other people have developed. I was reading up on MySQL's PREPARE statement earlier, and while it seems quite safe, I noticed repeated comments that it was designed primarily for testing and to use external API's. I use PHP, and I saw its mysqli interface, but again, I have a hard time depending on other people's code. I did some work for a place that used to use tons of Dreamweaver-generated SQL because they assumed that Macromedia would generate "safer" code than they could write on their own. We were all shocked when one day I noticed a huge, very basic mistake causing large portions of their website to be vulnerable. Apparently Dreamweaver's code had been like that for years. I'm concerned that if I depend on PHP's API that someone will discover a flaw and my applications will then be vulnerable.
Question 1: From a legal standpoint, if I rely on PHP's functions which they claim are secure, am I still liable as the programmer if my client gets hacked? Far as I know, yes.
But legal issues aside, I want to **know** that I'm safe. So...
Question 2: What does it take to completely protect from injection attacks? Is it enough to replace all/most special characters? Is there a comprehensive guide? What are the best known practices today?
Thanks,
Rick
RISTMO Designs: Rockwall Web Design
Arab Church: Arabic Christian Resources
Genuine Autos: Kaufman Chevrolet & Pontiac Dealer
Rick Morgan's Official Website
My problem is that I have a hard time relying on code other people have developed. I was reading up on MySQL's PREPARE statement earlier, and while it seems quite safe, I noticed repeated comments that it was designed primarily for testing and to use external API's. I use PHP, and I saw its mysqli interface, but again, I have a hard time depending on other people's code. I did some work for a place that used to use tons of Dreamweaver-generated SQL because they assumed that Macromedia would generate "safer" code than they could write on their own. We were all shocked when one day I noticed a huge, very basic mistake causing large portions of their website to be vulnerable. Apparently Dreamweaver's code had been like that for years. I'm concerned that if I depend on PHP's API that someone will discover a flaw and my applications will then be vulnerable.
Question 1: From a legal standpoint, if I rely on PHP's functions which they claim are secure, am I still liable as the programmer if my client gets hacked? Far as I know, yes.
But legal issues aside, I want to **know** that I'm safe. So...
Question 2: What does it take to completely protect from injection attacks? Is it enough to replace all/most special characters? Is there a comprehensive guide? What are the best known practices today?
Thanks,
Rick
RISTMO Designs: Rockwall Web Design
Arab Church: Arabic Christian Resources
Genuine Autos: Kaufman Chevrolet & Pontiac Dealer
Rick Morgan's Official Website