WebApp Sec mailing list archives

Re: PHP for preventing SQL injections?

From: "Harry M" <harrym () the-group org>
Date: Wed, 17 Sep 2003 21:04:10 +0100

That's what I use:

<?php

...

if(!is_integer($SomeVar)){
  // bail out
}

$Query = "some_sql_here";

...

?>

Assuming there's no reasonable way a supposedly int value could become
something else, I often ipban people temporarily or invalidate sessions when
these kinds of checks fail - on the reasoning that only naughty people
should be affected.

Harry

----- Original Message -----
From: <cipherz () slamsoft dk>
To: "wilfrid" <wilfrid () digifactory fr>; "Security OnLine.tk"
<securityonline () email it>
Cc: <webappsec () securityfocus com>
Sent: Wednesday, September 17, 2003 11:52 AM
Subject: Re: PHP for preventing SQL injections?


Not sure if it has been mentioned but what about the php function:
is_integer ?

 /ciph
----- Original Message -----
From: "wilfrid" <wilfrid () digifactory fr>
To: "Security OnLine.tk" <securityonline () email it>
Cc: <webappsec () securityfocus com>
Sent: Wednesday, September 17, 2003 6:27 AM
Subject: Re: PHP for preventing SQL injections?

For this kind of request, if your $id is an INT, you can avoid all
injjection by an intval() :

$string = "SELECT * FROM tblTable WHERE ID=".intval($id);

if $id contains non-number caracters, it will return 0.

Wilfrid.

Security OnLine.tk a écrit:


I know something to use in ASP, but it could be good also in PHP
in ASP, you got a string with the SQL commands:

string = "SELECT * FROM tblTable WHERE ID=' & id & '"

to prevent a SQL injection attack:

string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"

in PHP you could do something like this

$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";

check if this works

David a.k.a. hanska


-------Original Message-------

From: Lefevre, Steven
Date: martedì 16 settembre 2003 23.38.58
To: webappsec () securityfocus com
Subject: PHP for preventing SQL injections?

Hey folks -

Does anyone know of a regexp for checking SQL strings for injection
attempts?

Steve Lefevre
Network Administrator
IMI International, Inc.
614.839.2500

.

Current thread:

PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
  - Re: PHP for preventing SQL injections? wilfrid (Sep 17)
    - Re: PHP for preventing SQL injections? cipherz (Sep 17)
    - Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
  - Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
    - RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
    - Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- RE: PHP for preventing SQL injections? latte (Sep 16)
  - Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)