WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to handle "special characters"

From: Tobias Mathes <tobias.mathes () ideenpark com>
Date: Tue, 16 Dec 2003 02:42:34 +0100

Hi Ghita,

Ghita Serban wrote:

> [...]

$select_the_user="SELECT * FROM users WHERE username=".$username." AND
password=".$password." LIMIT 1";
[...]


If I am right, you only need to use this line instead of yours:

$select_the_user="SELECT * FROM users WHERE username='".$username."' AND
password='".$password."' LIMIT 1";


You basically put your $vars into '' containers, like
username='myusername', I don't know anything about the SQL Injection
problem, but I thing at this point it's enough to "solve" that problem.


mh ok, I thought about it again. Well, you should be checking your
incoming variables if they contain any quotes, if they does remove the
quotes from them.


regards,

Tobias Mathes

--
<company name="<!--ideenpark-->">
<name>Tobias Mathes</name>
<unit>Development</unit>
<email>tobias.mathes () ideenpark com</email>
</company>
Previous By Date Next
Previous By Thread Next

Current thread: