Re: PHPNuke SQL Injection / General SQL Injection

[MightyE <mightye () mightye org>]

Actually, user supplied input from $_COOKIES, $_POST, and $_GET comes 
slash-escaped, so if the user enters
' or 1=1
as their input, the sql statement will look like
where some_int='\' or 1=1'

This is determined by the PHP directive, magic_quotes_gpc.  During 
script execution, you can execute
if (!get_magic_quotes_gpc()){
   //code to recurse global variables, calling addslashes() on their values
}
to ensure that all user supplied input is properly escaped.

The proper escaping for ' and " in most databases (excluding Oracle and 
Sybase only, I believe), is to use \', \", and \\.

In Oracle and Sybase, ' and " are escaped as '' and "".   Magic quotes 
in PHP can be configured for Sybase compatibility, see the PHP website.

What I do on my portable code, where I can't know whether or not the 
server it's running on has magic quotes enabled, is use a function like 
this:

function escape($input){
   if (get_magic_quotes_gpc()) return $input;
   return addslashes($input);
}

and all user input through that.  As far as I know, all major databases 
accept quoted integers and interpret them as standard integers, so 
*always* quote user input so that they cannot inject SQL.

David Walker wrote:

> When programming a system that creates sql strings based on passed in integers
> i.e. where some_int=$variable_from_querystring
> you must always do a check to confirm that that variable contains only numeric 
> data.   
>
> an alternate fix on sql servers that allow the format
> where some_int='1234' -- (quoted numbers)
> would be to do
> where some_int='replace($variable_from_querystring,"'","''")'
> This would cause a more than likely harmless error to occur whenever character 
> occurs within the passed in numeric/integer variable.
>
>