Re: Blind SQL Injection / Stored procedures

[ascii <ascii () katamail com>]

LAROUCHE Francois wrote:
> Now the problem with PHP is that under the version 5 
> (not sure at 100%) there is nothing that prevents SQL
> injection since the SQL is inline in the code.
> Even with magic quotes it's dangerous since you can
> achieve SQL injection without a single quote (when
> there is an integer argument for instance).

you have to do your checks manually

personally i don't love magic quotes and prefer to do
the stuff myself

writing secure queries isn't a big effort, i think that
a programmer uses about 5min+ in a day for validating
user input

there are two points to keep in memory:

1) use the single quotes _also_ on integers
   WHERE id = $id must be WHERE `id` = '$id'

2) use some validation functions and casting
   $input = (int)intval($input);
   and _always_ use the mysql_real_escape_string()
   (or an equivalent one) also on ints
   $input = mysql_real_escape_string($input);

morale: php core developers are right, php developers
have to move on and quickly