WebApp Sec mailing list archives
Re: How to handle "special characters"
From: Tobias Mathes <tobias.mathes () ideenpark com>
Date: Tue, 16 Dec 2003 02:42:34 +0100
Hi Ghita, Ghita Serban wrote: > [...]
$select_the_user="SELECT * FROM users WHERE username=".$username." AND password=".$password." LIMIT 1"; [...]
If I am right, you only need to use this line instead of yours: $select_the_user="SELECT * FROM users WHERE username='".$username."' AND password='".$password."' LIMIT 1"; You basically put your $vars into '' containers, like username='myusername', I don't know anything about the SQL Injection problem, but I thing at this point it's enough to "solve" that problem. mh ok, I thought about it again. Well, you should be checking your incoming variables if they contain any quotes, if they does remove the quotes from them. regards, Tobias Mathes -- <company name="<!--ideenpark-->"> <name>Tobias Mathes</name> <unit>Development</unit> <email>tobias.mathes () ideenpark com</email> </company>
Current thread:
- How to handle "special characters" Sekurity Wizard (Dec 10)
- Re: How to handle "special characters" Clint Bodungen (Dec 10)
- RE: How to handle "special characters" Tony Langley (Dec 10)
- RE: How to handle "special characters" sparkes (Dec 11)
- RE: How to handle "special characters" riptide (Dec 11)
- RE: How to handle "special characters" sparkes (Dec 11)
- <Possible follow-ups>
- RE: How to handle "special characters" Brown, James F. (Dec 11)
- RE: How to handle "special characters" appsec (Dec 11)
- RE: How to handle "special characters" Sachin Hamirwasia (Dec 14)
- RE: How to handle "special characters" Ghita Serban (Dec 15)
- Re: RE: How to handle "special characters" .Saphyr (Dec 15)
- Re: How to handle "special characters" Tobias Mathes (Dec 15)
- RE: How to handle "special characters" Sachin Hamirwasia (Dec 14)
- RE: How to handle "special characters" Keifer, Trey (Dec 11)
- RE: How to handle "special characters" Ghita Serban (Dec 12)
- RE: How to handle "special characters" Tom Stowell (Dec 13)
- Re: How to handle "special characters" T.J. (Dec 13)
- Re: How to handle "special characters" Devdas Bhagat (Dec 21)
- Re: How to handle "special characters" T.J. (Dec 13)