Re: PHPNuke SQL Injection / General SQL Injection

[David Walker <bugtraq () grax com>]

When programming a system that creates sql strings based on passed in integers
i.e. where some_int=$variable_from_querystring
you must always do a check to confirm that that variable contains only numeric 
data.   

an alternate fix on sql servers that allow the format
where some_int='1234' -- (quoted numbers)
would be to do
where some_int='replace($variable_from_querystring,"'","''")'
This would cause a more than likely harmless error to occur whenever character 
occurs within the passed in numeric/integer variable.