WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: <cipherz () slamsoft dk>
Date: Wed, 17 Sep 2003 11:52:59 +0100
Not sure if it has been mentioned but what about the php function: is_integer ? /ciph ----- Original Message ----- From: "wilfrid" <wilfrid () digifactory fr> To: "Security OnLine.tk" <securityonline () email it> Cc: <webappsec () securityfocus com> Sent: Wednesday, September 17, 2003 6:27 AM Subject: Re: PHP for preventing SQL injections?
For this kind of request, if your $id is an INT, you can avoid all injjection by an intval() : $string = "SELECT * FROM tblTable WHERE ID=".intval($id); if $id contains non-number caracters, it will return 0. Wilfrid. Security OnLine.tk a écrit:I know something to use in ASP, but it could be good also in PHP in ASP, you got a string with the SQL commands: string = "SELECT * FROM tblTable WHERE ID=' & id & '" to prevent a SQL injection attack: string = "SELECT * FROM tblTable WHERE ID=(' & id & ')" in PHP you could do something like this $sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')"; check if this works David a.k.a. hanska -------Original Message------- From: Lefevre, Steven Date: martedì 16 settembre 2003 23.38.58 To: webappsec () securityfocus com Subject: PHP for preventing SQL injections? Hey folks - Does anyone know of a regexp for checking SQL strings for injection attempts? Steve Lefevre Network Administrator IMI International, Inc. 614.839.2500 .
Current thread:
- PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? cipherz (Sep 17)
- Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)