WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP for preventing SQL injections?

From: "Ulf Harnhammar" <metaur () operamail com>
Date: Tue, 23 Sep 2003 12:18:15 +0100
If you use Base64, I even think it will be impossible to create
working LIKE clauses, as the bits from a single original character may
or may not be split in two depending on the position the character has
in the sequence.  Even sorting won't work as expected: "aaa" encodes
to "YWFh", while "aaz" ( > "aaa") encodes to "YWF6" ( < "YWFh").


At least MySQL has the facility of allowing user-defined functions, so I suppose you could make one for BASE64 decoding 
and then use that in your LIKE clause. This will probably slow things down.


But most of these aside, the main thing is that I don't undertand why
encoding everything is better than escaping just the SQL meta-
characters.  What am I missing?


A stronger sense of security, that you don't get with a blacklisting approach, combined with not having to deal with 
the whitelisting approach's not allowing certain characters.

// Ulf Harnhammar
   kses - PHP HTML/XHTML filter (0.2.1 out soon)
   http://sourceforge.net/projects/kses

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze
Previous By Date Next
Previous By Thread Next

Current thread: