Re: why most sql injection is not occurred at mysql?

[jam () zoidtechnologies com]

On Tue, Oct 23, 2007 at 10:14:17AM -0700, Francois Larouche wrote:
> Annyo MontyRee,
>
> Funny you mention this because in my experience I found more sql
> injections in mysql websites. But as you mention it's not related to the
> database but how it has been implemented inside the web application
> or/and inside the stored proc.

correct.

in php, if you do something like:

$sql = "select * from foo where bar={$bar}"

and you do not properly escape $bar, you are open to an sql-injection. there
was a "hack" put in place so that if I somehow get $bar to be equal to "1;
delete from foo" it will not work, but the "real" solution is to escape all
input that comes from a user (or a bot, or whathaveyou), and to do your
queries a little differently.

what I have been doing lately is using a module in PEAR called MDB2. 

$sql = "select * from foo where bar=?";

and then you make an array that has your data in it:

$dat = array($bar);

then you run the query...

if you use that technique for *every* query, you should not be vulnerable to
sql-injection any more. naturally there are other vectors to be concerned
about.

regards,
J
-- 
http://zoidtechnologies.com/ -- software that sucks less