RE: PHP for preventing SQL injections?

[<latte () hushmail com>]

I don't see anything in there that contradicts what 
I said ...

Escaping quotes [in mssql] is all you need to do when 
using strings in any SQL, and when using other datatypes
you just need to consider how they are handled by
your server (i.e. numbers, dates) so that are fixed
for any special characters as well (which is what I said).

What is wrong with that ?


-----Original Message-----
From: Alex Lambert [mailto:alambert () quickfire org]
Sent: Wednesday, 17 September 2003 9:46 AM
To: latte () hushmail com
Cc: securityonline () email it; webappsec () securityfocus com
Subject: Re: PHP for preventing SQL injections?


This seems like a monthly question ;). Sverre Huseby wrote an 
informative message about _why_ escaping only quotes is wrong. Doing
so 
hides the _real_ problem, passing data that is interpreted incorrectly

by the parser at the other end.

See http://shh.thathost.com/text/passing-data-03.txt



apl

latte () hushmail com wrote:
> This will *NOT* work.
>
> Do not do this.
>
> The only best way to avoid SQL injection is remove 
> special chars, such as "'" in strings and !numeric
> in numbers.
>
>
> -----Original Message-----
> From: Security OnLine.tk [mailto:securityonline () email it]
> Sent: Wednesday, 17 September 2003 7:45 AM
> To: webappsec () securityfocus com
> Subject: Re: PHP for preventing SQL injections?
>
>
>  
>
> I know something to use in ASP, but it could be good also in PHP
>
> in ASP, you got a string with the SQL commands:
>
>  
>
> string = "SELECT * FROM tblTable WHERE ID=' & id & '"
>
>  
>
> to prevent a SQL injection attack:
>
>  
>
> string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"
>
>  
>
> in PHP you could do something like this
>
>  
>
> $sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";
>
>  
>
> check if this works
>
>  
>
> David a.k.a. hanska
>
>  
>
>  
>
> -------Original Message-------
>
>  
>
> From: Lefevre, Steven
>
> Date: martedì 16 settembre 2003 23.38.58
>
> To: webappsec () securityfocus com
>
> Subject: PHP for preventing SQL injections?
>
>  
>
> Hey folks -
>
>  
>
> Does anyone know of a regexp for checking SQL strings for injection
>
> attempts?
>
>  
>
> Steve Lefevre
>
> Network Administrator
>
> IMI International, Inc.
>
> 614.839.2500
>
>  
>
> .
>
>
>
> --
> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
>
> Sponsor:
> Sconti fino al 20% per i magnifici bouquet di Artefiori! Clicca qui!
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=750&d=16-9
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:

> https://www.hushmail.com/about.php?subloc=affiliate&l=427



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427