WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: Alex Lambert <alambert () quickfire org>
Date: Tue, 16 Sep 2003 18:46:27 -0500
This seems like a monthly question ;). Sverre Huseby wrote an informative message about _why_ escaping only quotes is wrong. Doing so hides the _real_ problem, passing data that is interpreted incorrectly by the parser at the other end.
See http://shh.thathost.com/text/passing-data-03.txt apl latte () hushmail com wrote:
This will *NOT* work. Do not do this.The only best way to avoid SQL injection is remove special chars, such as "'" in strings and !numericin numbers. -----Original Message----- From: Security OnLine.tk [mailto:securityonline () email it] Sent: Wednesday, 17 September 2003 7:45 AM To: webappsec () securityfocus com Subject: Re: PHP for preventing SQL injections?I know something to use in ASP, but it could be good also in PHP in ASP, you got a string with the SQL commands:string = "SELECT * FROM tblTable WHERE ID=' & id & '"to prevent a SQL injection attack:string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"in PHP you could do something like this$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";check if this worksDavid a.k.a. hanska-------Original Message-------From: Lefevre, Steven Date: martedì 16 settembre 2003 23.38.58 To: webappsec () securityfocus com Subject: PHP for preventing SQL injections?Hey folks -Does anyone know of a regexp for checking SQL strings for injection attempts?Steve Lefevre Network Administrator IMI International, Inc. 614.839.2500. -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Sconti fino al 20% per i magnifici bouquet di Artefiori! Clicca qui! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=750&d=16-9 Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? cipherz (Sep 17)
- Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)