Hi phillip,
The first thing I can tell on PHP since I don't much about it, is the use of
the magic quotes option. You should find valuable information on this topic on
google. However you have to know that there are some problems with it. Read it
carefully.
Now the problem with PHP is that under the version 5 (not sure at 100%) there
is nothing that prevents SQL injection since the SQL is inline in the code.
Even with magic quotes it's dangerous since you can achieve SQL injection
without a single quote (when there is an integer argument for instance).
There is another option that I found was a database abstraction layer package
made by PEAR, it works on PHP 4 and 5 and should be free
(pear.php.net/package/DB). Now I don't know if it's a good product or not, or
really secure but you can always try. I just know they use their own prepared
statement and quote stripping.
Good luck!
François Larouche
P.S. It's not a good idea to talk openly of your architecture on the net, not
all people in this list are pure of heart :) Nasa is a attractive place...
______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it
(herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this
message by any other person is not permitted.
If you are not the named addressee, please send it back immediately to the
sender and delete it. Unauthorized disclosure,
publication, use, dissemination, forwarding, printing or copying of this
message, either in whole or in part, is strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed.
Our company shall not be liable for this
message if modified or falsified.
