WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Mon, 22 Sep 2003 17:32:15 +0100
B0iler sez:
Convert ascii into another format which does not contain SQL control characters, such as hex. The characters 0-9a-f will not do anything strange.
That's an interesting idea! A variation on the same theme would be to convert to BASE64 instead, to save some space (3 ASCII characters are 6 hex characters but only 4 BASE64 characters). Of course, you'll get into validation problems later when you have decoded the data back to ASCII, but in a situation where you're mostly afraid of SQL Injection, this might be worth thinking about. PHP has built-in base64_encode() and base64_decode() functions. If you use Perl, there's a MIME::Base64 module at CPAN. (Technically, it is there even if you don't use Perl, but that's philosophy and not computer security.) // Ulf Harnhammar kses - PHP HTML/XHTML filter (0.2.1 out soon) http://sourceforge.net/projects/kses -- ___________________________________________________ OperaMail free e-mail - http://www.operamail.com OperaMail Premium - 28MB, POP3, more! US$29.99/year Powered by Outblaze
Current thread:
- PHP for preventing SQL injections? Ulf Harnhammar (Sep 17)
- <Possible follow-ups>
- Re: PHP for preventing SQL injections? b0iler _ (Sep 21)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 22)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? David Cameron (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 23)