WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 23 Sep 2003 19:20:52 +0200
[Ulf Harnhammar] | A stronger sense of security, that you don't get with a | blacklisting approach, [...] I can see what you mean. Of all the code I've seen, I've only once encountered code that didn't do the escaping right. The programmer had forgotten that the target database treated backslash as a metacharacter inside SQL string constants (a typical problem with blacklisting; forgetting something). The much, much more common problem, at least judging from the code I've seen (feel free to disagree, of course), is that the programmer forgets to call the escaping function one or more places in the code. Maybe he thinks it isn't needed everywhere, or maybe he's in a hurry. Me thinks that to really have a stronger sense of security, we should make it impossible for the programmer to forget the escaping. For instance by making it impossible to create "dynamic SQL queries" (mixing control information and data in the same string). A database API offering only prepared statements would probably be a good start. Sverre. -- shh () thathost com http://shh.thathost.com/
Current thread:
- PHP for preventing SQL injections? Ulf Harnhammar (Sep 17)
- <Possible follow-ups>
- Re: PHP for preventing SQL injections? b0iler _ (Sep 21)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 22)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? David Cameron (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 23)