Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP filter function against SQL injections

From: Henry Troup <htroup () acm org>
Date: Fri, 09 Feb 2007 15:21:10 -0500
2. union injection ??


A very key testcase.  Union injection requires no special characters if the 
parameters were assumed to be integers.  

You should be using mysql_real_escape_string(), btw.  The documentation 
claims that mysql_real_escape_string() is completely effective; what are 
you willing to bet on that?

That have been at least two vulnerabilities already in this function
- see
 http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html 
and
 http://software.newsforge.com/article.pl?sid=06/06/01/213223&tid=78

(One is from January 2006, one from June, so I doubt they are the same hole.)

When you deal in character-set issues on the Internet, you have to
rely on multiple devices and layers all being correct; history shows
that's a risky assumption.

The "industrial strength" to protect against SQL injection is to

a) consider the allowable inputs carefully and filter the input
and
b) use BIND variables (or generally, the prepare and execute methods)

See http://ca3.php.net/mysqli for an overview of the mysqli_stmt class and 
the methods

bind_param - binds variables to a prepared statement
execute - executes a prepared statement
fetch - fetches result from a prepared statement into bound variables
prepare - prepares a SQL query

and others.

Building SQL by concatenation is inherently vulnerable, just don't do it.


--
Henry Troup
htroup () acm org
Previous By Date Next
Previous By Thread Next

Current thread: