mailing list archives
Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: rvdm () CISTRON NL (van der Meulen, Robert)
Date: Sat, 5 Feb 2000 12:47:17 +0100
Quoting rain forest puppy (rfp () WIRETRIP NET):
----[ 3. Solution
In the end, *all* (let me repeat that... **ALL**) incoming user data
should be passed through quote(), onlynumbers(), or scrubtable()...NO
EXCEPTIONS! Passing user data straight into a SQL query is asking for
someone to tamper with your database.
New versions of wwwthreads are available from www.wwwthreads.com, which
implement the solutions pretty much as I've described them here.
If the script acessing the database uses DBI, it's better to handle a query
the following way:
$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.
I must admit here, that not all DBI drivers support placeholders, but most do.
ofcourse catch the results, and check them. Insertion of non-numerics into
your database is checked when you actually _do_ the insert.
| rvdm () cistron nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |