WebApp Sec mailing list archives
RE: PHP for preventing SQL injections?
From: <latte () hushmail com>
Date: Tue, 16 Sep 2003 17:43:28 -0700
I don't see anything in there that contradicts what I said ... Escaping quotes [in mssql] is all you need to do when using strings in any SQL, and when using other datatypes you just need to consider how they are handled by your server (i.e. numbers, dates) so that are fixed for any special characters as well (which is what I said). What is wrong with that ? -----Original Message----- From: Alex Lambert [mailto:alambert () quickfire org] Sent: Wednesday, 17 September 2003 9:46 AM To: latte () hushmail com Cc: securityonline () email it; webappsec () securityfocus com Subject: Re: PHP for preventing SQL injections? This seems like a monthly question ;). Sverre Huseby wrote an informative message about _why_ escaping only quotes is wrong. Doing so hides the _real_ problem, passing data that is interpreted incorrectly by the parser at the other end. See http://shh.thathost.com/text/passing-data-03.txt apl latte () hushmail com wrote:
This will *NOT* work. Do not do this. The only best way to avoid SQL injection is remove special chars, such as "'" in strings and !numeric in numbers. -----Original Message----- From: Security OnLine.tk [mailto:securityonline () email it] Sent: Wednesday, 17 September 2003 7:45 AM To: webappsec () securityfocus com Subject: Re: PHP for preventing SQL injections? I know something to use in ASP, but it could be good also in PHP in ASP, you got a string with the SQL commands: string = "SELECT * FROM tblTable WHERE ID=' & id & '" to prevent a SQL injection attack: string = "SELECT * FROM tblTable WHERE ID=(' & id & ')" in PHP you could do something like this $sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')"; check if this works David a.k.a. hanska -------Original Message------- From: Lefevre, Steven Date: martedì 16 settembre 2003 23.38.58 To: webappsec () securityfocus com Subject: PHP for preventing SQL injections? Hey folks - Does anyone know of a regexp for checking SQL strings for injection attempts? Steve Lefevre Network Administrator IMI International, Inc. 614.839.2500 . -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Sconti fino al 20% per i magnifici bouquet di Artefiori! Clicca qui! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=750&d=16-9 Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Re: PHP for preventing SQL injections?, (continued)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? cipherz (Sep 17)
- Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- RE: PHP for preventing SQL injections? latte (Sep 16)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)