WebApp Sec mailing list archives

Re: PHP for preventing SQL injections?

From: "Security OnLine.tk" <securityonline () email it>
Date: Tue, 16 Sep 2003 23:45:09 +0200 (ora legale Europa occidentale)

 
I know something to use in ASP, but it could be good also in PHP
in ASP, you got a string with the SQL commands:
 
string = "SELECT * FROM tblTable WHERE ID=' & id & '"
 
to prevent a SQL injection attack:
 
string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"
 
in PHP you could do something like this
 
$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";
 
check if this works
 
David a.k.a. hanska
 
 
-------Original Message-------
 
From: Lefevre, Steven
Date: martedì 16 settembre 2003 23.38.58
To: webappsec () securityfocus com
Subject: PHP for preventing SQL injections?
 
Hey folks -
 
Does anyone know of a regexp for checking SQL strings for injection
attempts?
 
Steve Lefevre
Network Administrator
IMI International, Inc.
614.839.2500
 
.



--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Sconti fino al 20% per i magnifici bouquet di Artefiori! Clicca qui!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=750&d=16-9

Current thread:

PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
  - Re: PHP for preventing SQL injections? wilfrid (Sep 17)
    - Re: PHP for preventing SQL injections? cipherz (Sep 17)
    - Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
  - Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
    - RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
    - Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- RE: PHP for preventing SQL injections? latte (Sep 16)

(Thread continues...)