recommendations/links for learning hwo to write POST/GET scrtips to thwart sql injec

Steve wrote,
> "And read up on "sql injection" attacks (use your favorite search
> engine).  As indicated, validate input.  e.g. if you expert $_GET['a']
> to be integer, then do
>
> $a = intval($_GET['a']);"

I want to learn how to incorporate defenses into my code to thward a sql
injection attach.  Please recommend links that discuss actual code defenses,
not just what the attach is.

Thanks.

On Mon, 16 Aug 2004 07:33:02 -0400, "NotGiven" <noname@nonegiven.net> wrote:

>Steve wrote, 
>
>I want to learn how to incorporate defenses into my code to thward a sql
>injection attach.  Please recommend links that discuss actual code defenses
,
>not just what the attach is.

Depends on what database you're using. SQL injection is largely irrelevant f
or
databases that use placeholders/bind variables. But MySQL, which is popular 
in
usage with PHP, is one of the few that doesn't support them (until the beta 
4.1
version, anyway, where at long last placeholder support has been added).

Which database are you using?

--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool

using mysql at a sharted hosting3


"Andy Hassall" <andy@andyh.co.uk> wrote in message
 news:of15i09iacv8tddihqd92tj1g1ektei111@
4ax.com...
> On Mon, 16 Aug 2004 07:33:02 -0400, "NotGiven" <noname@nonegiven.net>
wrote:
> 
defenses, 
>
>  Depends on what database you're using. SQL injection is largely
irrelevant for
> databases that use placeholders/bind variables. But MySQL, which is
popular in
> usage with PHP, is one of the few that doesn't support them (until the
beta 4.1
> version, anyway, where at long last placeholder support has been added).
>
>  Which database are you using?
>
> --
> Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
> <http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool

On Tue, 17 Aug 2004 19:35:05 -0400, "NotGiven" <noname@nonegiven.net> wrote:
 
>
>using mysql at a sharted hosting3

Then ensure that your data is escaped exactly once using mysql_escape_string
(and not multiple times, e.g. through magic_quotes). There's only two distin
ct
cases for data values:

Matching against numeric columns:

"SELECT x FROM y WHERE z = $something"

In this case, ensure $something is a number only, e.g. with is_numeric().

"SELECT x FROM y WHERE a = '$something'"

In this case, run $something through mysql_escape_string() first. This escap
es
the significant characters ' and \.

And never use user input directly for SQL, only use it for data values after
appropriate validation and escaping as above.


Or use a database abstraction layer (PEAR DB, ADODB) that supports
placeholders even where the underlying database doesn't natively, and have t
he
abstraction layer handle the escaping. This ends up with statements of the f
orm
"... WHERE x = ?", and then you call a separate function to 'bind' a value t
o
that ? mark, regardless of what type it is, without worries about what the
value is.

--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool