Re: SQL injection and PHP/MYSQL

["Denis Arh" <denis () exonium net>]

Hi!

You just escape all strings with mysql_escape_string() and cast all number
values to integers.

There's no "evil-code" that can pass this:

$query = 'INSERT INTO tbl (col1, col2) VALUES
('.mysql_escape_string($string_value).', '.(int)$number_value.')';
if ( !mysql_query( $query ) ) {
  ...
}


IMHO anything more than this is waste of your time and CPU power.

Regards,
Denis Arh

----- Original Message ----- 
From: "Robert Buljevic" <skeptic () s1c org>
To: <webappsec () securityfocus com>
Sent: Tuesday, September 09, 2003 9:04 PM
Subject: SQL injection and PHP/MYSQL


> I'm well aware of the sql injection problem when accepting non-trusted
data.
> However, I'm interested in a more concrete example, precisely the
PHP/MySQL
> combination.
>
> Suppose I have some input text that's passed to mysql for searching via
http
> get request.
> What characters should I allow/disallow?
> And is it enough to use PHP's addslashes function? If not, why? Could you
> provide any example of input that could cause injection even if it's
> slashed - always referring to the particular case of PHP/MYSQL?
>
> Any info would be appreciated... Thanks!
>
> Robert Buljevic