WebApp Sec mailing list archives
Re: :o)
From: "Gavin Zuchlinski" <gzuchlinski () pgsit org>
Date: Fri, 22 Aug 2003 14:53:25 -0400
addslashes() is a bare minimum for protecting scripts against SQL injection attacks from string. intval() should be used to ensure that the values are integers too (SQL injection with a supposed integer vector can be even more dangerous since it can bypass PHP's magic_quotes_gpc which I have sadly seen many servers bet their life on...). The best option is to filter all characters that are specifically allowed. This can be done with a regular expression like s/[^a-zA-Z0-9]/X/g which will replace all characters which are not in the alphanumeric set with a big old X. Regexs also have the nice attribute of being extremely customizable for any circumstance. Gavin Zuchlinski http://libox.net
... looks like there is a lot of webapp dealing with strings with addslashes(). But is it enough? What about meta characters?
addslashes
doesn't deals with them. I think is a good idea use addslashes()
<u>AND</u>
quotemeta().
Current thread:
- :o) hokkaido (Aug 22)
- Re: :o) Gavin Zuchlinski (Aug 22)
- <Possible follow-ups>
- RE:RE: :o) hokkaido (Aug 25)
- Re: RE:RE: :o) Tim Greer (Aug 25)
- Re: :o) Dwayne Ghant (Aug 25)