Re: TWIG SQL query bugs

[Steve Stavropoulos <steve () math upatras gr>]

On Wed, 30 May 2001, Ryan Fox wrote:

> One more point here.
>
> > Simply adding a quote is not the proper way to handle this in PHP.
>
> Not really.  There are other malicious characters that can be used in sql
> statements.  The one in the front of my mind is ";", used to terminate a
> query and begin a new one.  Think of $IDNumber=";drop database foo".  (This
> can be helped by using a database with proper access controls set up, so the
> user the web process normally connects as does not have permission to drop a
> database.  I don't know if this product sets itself up like that by
> default).
>
> Good programming practice is to code a function specifically to strip any
> possible malicious characters out of strings, and wrap it around every
> variable put into a query, whether it should be user-supplied or not.
> Addslashes is a good function to call from your stripping function, but it
> should not be your only line of defense.
>
> Ryan Fox
The only malicious character in an SQL query executed from php is '.
If you have for example:
select * from kokos where user='$user'
and $user=';drop database totos;'
then the SQL query will be:
select * from kokos where user=';drop database totos;'
and that's ONE SQL statement.
the ; inside the quotes is simply part of a STRING. The only way to get
out of a string is with a ' and the ' gets stripped out with addslashes.

 If the user supplied variable isn't treated as a string but as part of
the SQL statement then you have to escape ; as well.


                Steve Stavropoulos