|
WebApp Sec
mailing list archives
Re: PHP for preventing SQL injections?
From: <cipherz () slamsoft dk>
Date: Wed, 17 Sep 2003 11:52:59 +0100
Not sure if it has been mentioned but what about the php function:
is_integer ?
/ciph
----- Original Message -----
From: "wilfrid" <wilfrid () digifactory fr>
To: "Security OnLine.tk" <securityonline () email it>
Cc: <webappsec () securityfocus com>
Sent: Wednesday, September 17, 2003 6:27 AM
Subject: Re: PHP for preventing SQL injections?
For this kind of request, if your $id is an INT, you can avoid all
injjection by an intval() :
$string = "SELECT * FROM tblTable WHERE ID=".intval($id);
if $id contains non-number caracters, it will return 0.
Wilfrid.
Security OnLine.tk a écrit:
I know something to use in ASP, but it could be good also in PHP
in ASP, you got a string with the SQL commands:
string = "SELECT * FROM tblTable WHERE ID=' & id & '"
to prevent a SQL injection attack:
string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"
in PHP you could do something like this
$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";
check if this works
David a.k.a. hanska
-------Original Message-------
From: Lefevre, Steven
Date: martedì 16 settembre 2003 23.38.58
To: webappsec () securityfocus com
Subject: PHP for preventing SQL injections?
Hey folks -
Does anyone know of a regexp for checking SQL strings for injection
attempts?
Steve Lefevre
Network Administrator
IMI International, Inc.
614.839.2500
.
 By Date 
By Thread
Current thread:
|
Intro
