Home page logo
/

basics logo Security Basics mailing list archives

Re: why most sql injection is not occurred at mysql?
From: jam () zoidtechnologies com
Date: Tue, 23 Oct 2007 14:18:19 -0400

On Tue, Oct 23, 2007 at 10:14:17AM -0700, Francois Larouche wrote:
Annyo MontyRee,

Funny you mention this because in my experience I found more sql
injections in mysql websites. But as you mention it's not related to the
database but how it has been implemented inside the web application
or/and inside the stored proc.


correct.

in php, if you do something like:

$sql = "select * from foo where bar={$bar}"

and you do not properly escape $bar, you are open to an sql-injection. there
was a "hack" put in place so that if I somehow get $bar to be equal to "1;
delete from foo" it will not work, but the "real" solution is to escape all
input that comes from a user (or a bot, or whathaveyou), and to do your
queries a little differently.

what I have been doing lately is using a module in PEAR called MDB2. 

$sql = "select * from foo where bar=?";

and then you make an array that has your data in it:

$dat = array($bar);

then you run the query...

if you use that technique for *every* query, you should not be vulnerable to
sql-injection any more. naturally there are other vectors to be concerned
about.

regards,
J
-- 
http://zoidtechnologies.com/ -- software that sucks less


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]