WebApp Sec mailing list archives
Re: SQL injection and PHP/MYSQL
From: shimi <shimi () shimi net>
Date: Wed, 10 Sep 2003 00:10:51 +0300 (IDT)
Uhm: http://php.net/mysql-escape-string On Tue, 9 Sep 2003, Robert Buljevic wrote:
I'm well aware of the sql injection problem when accepting non-trusted data. However, I'm interested in a more concrete example, precisely the PHP/MySQL combination. Suppose I have some input text that's passed to mysql for searching via http get request. What characters should I allow/disallow? And is it enough to use PHP's addslashes function? If not, why? Could you provide any example of input that could cause injection even if it's slashed - always referring to the particular case of PHP/MYSQL? Any info would be appreciated... Thanks! Robert Buljevic
-- Best regards, Shimi ---- "Outlook is a massive flaming horrid blatant security violation, which also happens to be a mail reader." -=The best way to accelerate a Windows machine is at 9.81 m/s^2=- "Sure UNIX is user friendly; it's just picky about who its friends are."
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)