Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: Henry Troup <htroup () acm org>
Date: Fri, 09 Feb 2007 15:21:10 -0500
2. union injection ??
A very key testcase. Union injection requires no special characters if the parameters were assumed to be integers. You should be using mysql_real_escape_string(), btw. The documentation claims that mysql_real_escape_string() is completely effective; what are you willing to bet on that? That have been at least two vulnerabilities already in this function - see http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html and http://software.newsforge.com/article.pl?sid=06/06/01/213223&tid=78 (One is from January 2006, one from June, so I doubt they are the same hole.) When you deal in character-set issues on the Internet, you have to rely on multiple devices and layers all being correct; history shows that's a risky assumption. The "industrial strength" to protect against SQL injection is to a) consider the allowable inputs carefully and filter the input and b) use BIND variables (or generally, the prepare and execute methods) See http://ca3.php.net/mysqli for an overview of the mysqli_stmt class and the methods bind_param - binds variables to a prepared statement execute - executes a prepared statement fetch - fetches result from a prepared statement into bound variables prepare - prepares a SQL query and others. Building SQL by concatenation is inherently vulnerable, just don't do it. -- Henry Troup htroup () acm org
Current thread:
- Re: PHP filter function against SQL injections, (continued)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- RE: PHP filter function against SQL injections Dan Anderson (Feb 19)