This will *NOT* work.
Do not do this.
The only best way to avoid SQL injection is remove
special chars, such as "'" in strings and !numeric
in numbers.
-----Original Message-----
From: Security OnLine.tk [mailto:securityonline () email it]
Sent: Wednesday, 17 September 2003 7:45 AM
To: webappsec () securityfocus com
Subject: Re: PHP for preventing SQL injections?
I know something to use in ASP, but it could be good also in PHP
in ASP, you got a string with the SQL commands:
string = "SELECT * FROM tblTable WHERE ID=' & id & '"
to prevent a SQL injection attack:
string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"
in PHP you could do something like this
$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";
check if this works
David a.k.a. hanska
-------Original Message-------
From: Lefevre, Steven
Date: martedì 16 settembre 2003 23.38.58
To: webappsec () securityfocus com
Subject: PHP for preventing SQL injections?
Hey folks -
Does anyone know of a regexp for checking SQL strings for injection
attempts?
Steve Lefevre
Network Administrator
IMI International, Inc.
614.839.2500
.
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Sconti fino al 20% per i magnifici bouquet di Artefiori! Clicca qui!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=750&d=16-9
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Intro
