WebApp Sec mailing list archives
Re: SQL injection and PHP/MYSQL
From: "Denis Arh" <denis () exonium net>
Date: Tue, 9 Sep 2003 22:06:23 +0200
Hi! You just escape all strings with mysql_escape_string() and cast all number values to integers. There's no "evil-code" that can pass this: $query = 'INSERT INTO tbl (col1, col2) VALUES ('.mysql_escape_string($string_value).', '.(int)$number_value.')'; if ( !mysql_query( $query ) ) { ... } IMHO anything more than this is waste of your time and CPU power. Regards, Denis Arh ----- Original Message ----- From: "Robert Buljevic" <skeptic () s1c org> To: <webappsec () securityfocus com> Sent: Tuesday, September 09, 2003 9:04 PM Subject: SQL injection and PHP/MYSQL
I'm well aware of the sql injection problem when accepting non-trusted
data.
However, I'm interested in a more concrete example, precisely the
PHP/MySQL
combination. Suppose I have some input text that's passed to mysql for searching via
http
get request. What characters should I allow/disallow? And is it enough to use PHP's addslashes function? If not, why? Could you provide any example of input that could cause injection even if it's slashed - always referring to the particular case of PHP/MYSQL? Any info would be appreciated... Thanks! Robert Buljevic
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)