View Single Post
  #3   (View Single Post)  
Old 28th March 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

From the manpage:

Quote:
PreventSQLi = yes|no
Prevent SQL-injection by placing a slash before every single-quote in the URL, POST-data and cookie. This is the same as PHP's magic-quotes. You should only use this option if such automated escaping is not already being done. Writing safe code is of course better. Note that this option can break up the uploading of binaries, like images. See also BanOnSQLi.
Default = no, example: PreventSQLi = yes
So basically, no

What I do is write a "wrapper" function instead of calling the "bare" mysql_query() or cursor.execute() directly.

A more useful feature of hiawatha BTW:
Quote:
PreventXSS = yes|no
Prevent cross-site scripting by replacing a less-then, greater-then, quote or double-quote in the URL with an underscore.
Default = no, example: PreventXSS = yes
Hiawatha is also more strict in interpreting the HTTP standard, so malformed (potentially abusive) requests are rejected.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote