WebApp Sec mailing list archives
SQL injection and PHP/MYSQL
From: "Robert Buljevic" <skeptic () s1c org>
Date: Tue, 9 Sep 2003 21:04:25 +0200
I'm well aware of the sql injection problem when accepting non-trusted data. However, I'm interested in a more concrete example, precisely the PHP/MySQL combination. Suppose I have some input text that's passed to mysql for searching via http get request. What characters should I allow/disallow? And is it enough to use PHP's addslashes function? If not, why? Could you provide any example of input that could cause injection even if it's slashed - always referring to the particular case of PHP/MYSQL? Any info would be appreciated... Thanks! Robert Buljevic
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)