WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PHP for preventing SQL injections?

From: <latte () hushmail com>
Date: Tue, 16 Sep 2003 16:39:11 -0700
This will *NOT* work.

Do not do this.

The only best way to avoid SQL injection is remove 
special chars, such as "'" in strings and !numeric
in numbers.


-----Original Message-----
From: Security OnLine.tk [mailto:securityonline () email it]
Sent: Wednesday, 17 September 2003 7:45 AM
To: webappsec () securityfocus com
Subject: Re: PHP for preventing SQL injections?


 

I know something to use in ASP, but it could be good also in PHP

in ASP, you got a string with the SQL commands:

 

string = "SELECT * FROM tblTable WHERE ID=' & id & '"

 

to prevent a SQL injection attack:

 

string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"

 

in PHP you could do something like this

 

$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";

 

check if this works

 

David a.k.a. hanska

 

 

-------Original Message-------

 

From: Lefevre, Steven

Date: martedì 16 settembre 2003 23.38.58

To: webappsec () securityfocus com

Subject: PHP for preventing SQL injections?

 

Hey folks -

 

Does anyone know of a regexp for checking SQL strings for injection

attempts?

 

Steve Lefevre

Network Administrator

IMI International, Inc.

614.839.2500

 

.



--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Sconti fino al 20% per i magnifici bouquet di Artefiori! Clicca qui!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=750&d=16-9




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Previous By Date Next
Previous By Thread Next

Current thread: