Weblog

21 August 2011, 20:29

This release only contains a rewrite of the SQL injection prevention routine. The previous version escaped the quotes by placing a backslash in front if it. Although the manual page clearly said that this feature should only be used when your application is vulnerable for SQL injection, many people enabled this feature without knowing what they were doing. This caused a lot of problems, with uploading of binaries for example, and led to a lot of questions on the forum and in my mailbox.

I therefor decided to rewrite this feature. It now tries to detect an SQL injection in the request and if found, it generates a 409 Conflict error. The bad part is that this approach is not 100% reliable. Most common SQL injection attacks will be detected, but some rare ones will not. The good part is that binary uploads will no longer cause a problem and it will no longer conflict with PHP's magic_quote.

Of course, it's still better to write safe code or to use a secure framework. Hint: Banshee :)

PolarSSL

I've taken a good look at PolarSSL. Although its code is much cleaner and better than OpenSSL's code, I'm not convinced yet that replacing OpenSSL with PolarSSL is the right thing to do. Biggest problem is that the ssl_handshake() function has no timeout option, which makes PolarSSL vulnerable for a DoS attack by sending only half a SSL handshake.