WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Tue, 23 Sep 2003 12:18:15 +0100
If you use Base64, I even think it will be impossible to create working LIKE clauses, as the bits from a single original character may or may not be split in two depending on the position the character has in the sequence. Even sorting won't work as expected: "aaa" encodes to "YWFh", while "aaz" ( > "aaa") encodes to "YWF6" ( < "YWFh").
At least MySQL has the facility of allowing user-defined functions, so I suppose you could make one for BASE64 decoding and then use that in your LIKE clause. This will probably slow things down.
But most of these aside, the main thing is that I don't undertand why encoding everything is better than escaping just the SQL meta- characters. What am I missing?
A stronger sense of security, that you don't get with a blacklisting approach, combined with not having to deal with the whitelisting approach's not allowing certain characters. // Ulf Harnhammar kses - PHP HTML/XHTML filter (0.2.1 out soon) http://sourceforge.net/projects/kses -- ___________________________________________________ OperaMail free e-mail - http://www.operamail.com OperaMail Premium - 28MB, POP3, more! US$29.99/year Powered by Outblaze
Current thread:
- PHP for preventing SQL injections? Ulf Harnhammar (Sep 17)
- <Possible follow-ups>
- Re: PHP for preventing SQL injections? b0iler _ (Sep 21)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 22)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? David Cameron (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 23)