WebApp Sec mailing list archives
Re: Blind SQL Injection / Stored procedures
From: ascii <ascii () katamail com>
Date: Fri, 18 Nov 2005 14:28:26 +0100
LAROUCHE Francois wrote:
Now the problem with PHP is that under the version 5
> (not sure at 100%) there is nothing that prevents SQL > injection since the SQL is inline in the code. > Even with magic quotes it's dangerous since you can > achieve SQL injection without a single quote (when > there is an integer argument for instance). you have to do your checks manually personally i don't love magic quotes and prefer to do the stuff myself writing secure queries isn't a big effort, i think that a programmer uses about 5min+ in a day for validating user input there are two points to keep in memory: 1) use the single quotes _also_ on integers WHERE id = $id must be WHERE `id` = '$id' 2) use some validation functions and casting $input = (int)intval($input); and _always_ use the mysql_real_escape_string() (or an equivalent one) also on ints $input = mysql_real_escape_string($input); morale: php core developers are right, php developers have to move on and quickly
Current thread:
- Re: Blind SQL Injection / Stored procedures, (continued)
- Re: Blind SQL Injection / Stored procedures Adam Tuliper (Nov 15)
- Re: Blind SQL Injection / Stored procedures Laramies (Nov 16)
- RE: Blind SQL Injection / Stored procedures Victor Chapela (Nov 18)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 16)
- RE: Blind SQL Injection / Stored procedures Andres Molinetti (Nov 16)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 17)
- Re: Blind SQL Injection / Stored procedures Phillip Powell (Nov 17)
- RE: Blind SQL Injection / Stored procedures Evans, Arian (Nov 17)
- Re: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures Frederic Charpentier (Nov 17)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 18)
- Re: Blind SQL Injection / Stored procedures ascii (Nov 18)