Bugtraq mailing list archives
Re: PHPNuke SQL Injection / General SQL Injection
From: David Walker <bugtraq () grax com>
Date: Fri, 21 Feb 2003 15:21:12 -0600
When programming a system that creates sql strings based on passed in integers i.e. where some_int=$variable_from_querystring you must always do a check to confirm that that variable contains only numeric data. an alternate fix on sql servers that allow the format where some_int='1234' -- (quoted numbers) would be to do where some_int='replace($variable_from_querystring,"'","''")' This would cause a more than likely harmless error to occur whenever character occurs within the passed in numeric/integer variable.
Current thread:
- PHPNuke SQL Injection Lucas Armstrong (Feb 20)
- Re: PHPNuke SQL Injection Martin Eiszner (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection David Walker (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection MightyE (Feb 23)
- <Possible follow-ups>
- RE: PHPNuke SQL Injection Oriol Carreas (Feb 21)