Home > Archive > PHP SQL > August 2004 > recommendations/links for learning hwo to write POST/GET scrtips to thwart sql injec
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
recommendations/links for learning hwo to write POST/GET scrtips to thwart sql injec
|
|
| NotGiven 2004-08-16, 8:57 am |
| Steve wrote,
> "And read up on "sql injection" attacks (use your favorite search
> engine). As indicated, validate input. e.g. if you expert $_GET['a']
> to be integer, then do
>
> $a = intval($_GET['a']);"
I want to learn how to incorporate defenses into my code to thward a sql
injection attach. Please recommend links that discuss actual code defenses,
not just what the attach is.
Thanks.
| |
| Andy Hassall 2004-08-17, 8:57 pm |
| On Mon, 16 Aug 2004 07:33:02 -0400, "NotGiven" <noname@nonegiven.net> wrote:
>Steve wrote,
>
>I want to learn how to incorporate defenses into my code to thward a sql
>injection attach. Please recommend links that discuss actual code defenses,
>not just what the attach is.
Depends on what database you're using. SQL injection is largely irrelevant for
databases that use placeholders/bind variables. But MySQL, which is popular in
usage with PHP, is one of the few that doesn't support them (until the beta 4.1
version, anyway, where at long last placeholder support has been added).
Which database are you using?
--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
| |
| NotGiven 2004-08-17, 8:57 pm |
| using mysql at a sharted hosting3
"Andy Hassall" <andy@andyh.co.uk> wrote in message
news:of15i09iacv8tddihqd92tj1g1ektei111@
4ax.com...
> On Mon, 16 Aug 2004 07:33:02 -0400, "NotGiven" <noname@nonegiven.net>
wrote:
>
defenses,[color=darkred]
>
> Depends on what database you're using. SQL injection is largely
irrelevant for
> databases that use placeholders/bind variables. But MySQL, which is
popular in
> usage with PHP, is one of the few that doesn't support them (until the
beta 4.1
> version, anyway, where at long last placeholder support has been added).
>
> Which database are you using?
>
> --
> Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
> <http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
| |
| Andy Hassall 2004-08-18, 3:57 pm |
| On Tue, 17 Aug 2004 19:35:05 -0400, "NotGiven" <noname@nonegiven.net> wrote:
>
>using mysql at a sharted hosting3
Then ensure that your data is escaped exactly once using mysql_escape_string
(and not multiple times, e.g. through magic_quotes). There's only two distinct
cases for data values:
Matching against numeric columns:
"SELECT x FROM y WHERE z = $something"
In this case, ensure $something is a number only, e.g. with is_numeric().
"SELECT x FROM y WHERE a = '$something'"
In this case, run $something through mysql_escape_string() first. This escapes
the significant characters ' and \.
And never use user input directly for SQL, only use it for data values after
appropriate validation and escaping as above.
Or use a database abstraction layer (PEAR DB, ADODB) that supports
placeholders even where the underlying database doesn't natively, and have the
abstraction layer handle the escaping. This ends up with statements of the form
"... WHERE x = ?", and then you call a separate function to 'bind' a value to
that ? mark, regardless of what type it is, without worries about what the
value is.
--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
|
|
|
|
|