WebApp Sec mailing list archives
Re: SQL injection and PHP/MYSQL
From: Bill Pennington <billp () boarder org>
Date: Tue, 9 Sep 2003 12:55:51 -0700
One of the main hurdles to overcome with MySQL SQL injection is that current production versions of MySQL (4.0.x and below) do not support subselects. So injecting "UNION ALL SELECTS..." etc generally will not work. You can still use ' OR 1=1 type injections though.
The current alpha 4.1 of MySQL does support subselects so I think there are going to be a few more SQL Injection issues with MySQL once people start using the 4.1 code.
I don't know PHP that well so I can't comment on it. On Tuesday, September 9, 2003, at 12:04 PM, Robert Buljevic wrote:
I'm well aware of the sql injection problem when accepting non-trusted data. However, I'm interested in a more concrete example, precisely the PHP/MySQLcombination.Suppose I have some input text that's passed to mysql for searching via httpget request. What characters should I allow/disallow?And is it enough to use PHP's addslashes function? If not, why? Could youprovide any example of input that could cause injection even if it's slashed - always referring to the particular case of PHP/MYSQL? Any info would be appreciated... Thanks! Robert Buljevic
--- Bill Pennington, CISSP, CCNA Chief Technology Officer WhiteHat Security Inc. http://www.whitehatsec.com
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)