WebApp Sec mailing list archives

Re: :o)

From: "Gavin Zuchlinski" <gzuchlinski () pgsit org>
Date: Fri, 22 Aug 2003 14:53:25 -0400

addslashes() is a bare minimum for protecting scripts against SQL injection
attacks from string. intval() should be used to ensure that the values are
integers too (SQL injection with a supposed integer vector can be even more
dangerous since it can bypass PHP's magic_quotes_gpc which I have sadly seen
many servers bet their life on...).
The best option is to filter all characters that are specifically allowed.
This can be done with a regular expression like s/[^a-zA-Z0-9]/X/g which
will replace all characters which are not in the alphanumeric set with a big
old X. Regexs also have the nice attribute of being extremely customizable
for any circumstance.

Gavin Zuchlinski
http://libox.net

 ... looks like there is a lot of webapp dealing with strings
 with addslashes(). But is it enough? What about meta characters?

addslashes

 doesn't deals with them. I think is a good idea use addslashes()

<u>AND</u>

 quotemeta().

Current thread:

:o) hokkaido (Aug 22)
- Re: :o) Gavin Zuchlinski (Aug 22)
- <Possible follow-ups>
- RE:RE: :o) hokkaido (Aug 25)
  - Re: RE:RE: :o) Tim Greer (Aug 25)
  - Re: :o) Dwayne Ghant (Aug 25)