WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: Gavin Zuchlinski <gzuchlinski () pgsit org>
Date: Tue, 16 Sep 2003 23:00:48 -0400
Variables in SQL statements are not always quoted themselves, so just slashing out quotes for everything wont always work (like with integers). So like you said you need to consider how it will be handled, relying on addslashes() for everything or magic quotes just wont cut it. But there is a whole big scary world out there beyond this, SQL injection is only the front door. -Gavin Zuchlinski http://libox.net/ On Tuesday 16 September 2003 08:43 pm, latte () hushmail com wrote:
I don't see anything in there that contradicts what I said ... Escaping quotes [in mssql] is all you need to do when using strings in any SQL, and when using other datatypes you just need to consider how they are handled by your server (i.e. numbers, dates) so that are fixed for any special characters as well (which is what I said). What is wrong with that ?
Current thread:
- Re: PHP for preventing SQL injections?, (continued)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? cipherz (Sep 17)
- Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- RE: PHP for preventing SQL injections? latte (Sep 16)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)