WebApp Sec mailing list archives
Re: SQL injection and PHP/MYSQL
From: "Brad Fults" <brad () mipscomputation com>
Date: Wed, 10 Sep 2003 10:55:34 -0700
After using mysql_escape string to insert data into the database, is there an equal combination of unescaping one should do when the date is pulled from the database, or is a stripslashes() all that is necessary? ----- Original Message ----- From: "shimi" <shimi () shimi net> To: "Robert Buljevic" <skeptic () s1c org> Cc: <webappsec () securityfocus com> Sent: Tuesday, September 09, 2003 2:10 PM Subject: Re: SQL injection and PHP/MYSQL
Uhm: http://php.net/mysql-escape-string On Tue, 9 Sep 2003, Robert Buljevic wrote:I'm well aware of the sql injection problem when accepting non-trusted
data.
However, I'm interested in a more concrete example, precisely the
PHP/MySQL
combination. Suppose I have some input text that's passed to mysql for searching via
http
get request. What characters should I allow/disallow? And is it enough to use PHP's addslashes function? If not, why? Could
you
provide any example of input that could cause injection even if it's slashed - always referring to the particular case of PHP/MYSQL? Any info would be appreciated... Thanks! Robert Buljevic-- Best regards, Shimi ---- "Outlook is a massive flaming horrid blatant security violation, which also happens to be a mail reader." -=The best way to accelerate a Windows machine is at 9.81 m/s^2=- "Sure UNIX is user friendly; it's just picky about who its friends
are."
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)