mailing list archives
Re: PHP filter function against SQL injections
From: Henry Troup <htroup () acm org>
Date: Fri, 09 Feb 2007 15:21:10 -0500
2. union injection ??
A very key testcase. Union injection requires no special characters if the
parameters were assumed to be integers.
You should be using mysql_real_escape_string(), btw. The documentation
claims that mysql_real_escape_string() is completely effective; what are
you willing to bet on that?
That have been at least two vulnerabilities already in this function
(One is from January 2006, one from June, so I doubt they are the same hole.)
When you deal in character-set issues on the Internet, you have to
rely on multiple devices and layers all being correct; history shows
that's a risky assumption.
The "industrial strength" to protect against SQL injection is to
a) consider the allowable inputs carefully and filter the input
b) use BIND variables (or generally, the prepare and execute methods)
See http://ca3.php.net/mysqli for an overview of the mysqli_stmt class and
bind_param - binds variables to a prepared statement
execute - executes a prepared statement
fetch - fetches result from a prepared statement into bound variables
prepare - prepares a SQL query
Building SQL by concatenation is inherently vulnerable, just don't do it.
htroup () acm org
FW: PHP filter function against SQL injections kevin fielder (Feb 08)
Re: PHP filter function against SQL injections Henry Troup (Feb 12)
Re: PHP filter function against SQL injections Henry Troup (Feb 13)
Re: Re: PHP filter function against SQL injections ianbow (Feb 14)
- Re: PHP filter function against SQL injections, (continued)