Re[2]: PHPNuke SQL Injection / General SQL Injection

From: alias@securityfocus.com
Date: 02/23/03

  • Next message: Torbjörn Hovmark: "Re: Bypassing Personal Firewalls" 
    Date: 23 Feb 2003 17:42:43 -0000
From: alias@securityfocus.com
To: undisclosed-recipients: ;

    MightyE,

    In response to your mail of Saturday 22 February 2003 at 21:20:29:

    M> Actually, user supplied input from $_COOKIES, $_POST, and $_GET
    M> comes slash-escaped, so if the user enters
    M> ' or 1=1
    M> as their input, the sql statement will look like
    M> where some_int='\' or 1=1'
    M> [..snip..]
    M> function escape($input){
    M> if (get_magic_quotes_gpc()) return $input;
    M> return addslashes($input);
    M> }
    M> [..snip..]

    Better still, always do this:

            ...WHERE id = ". intval($userinput) ." AND...

    which doesn't rely on local configuration, magicquotes etc., and
    resolves to (e.g.) "id = 0" when the $userinput is bad or missing.

    Safe, simple, portable and effective. 

    -- 
Best regards,
James.

    Relevant Pages

    • Re[2]: PHPNuke SQL Injection / General SQL Injection
      ... the sql statement will look like ... which doesn't rely on local configuration, magicquotes etc., and ... Safe, simple, portable and effective. ...
      (Security-Basics)
    • Re: email validation: just enough to prevent sql injection
      ... What you need to focus on is making a valid address safe, not limiting what is considered valid. ... So, only other quotes should cause problems and these can be escaped (two consecutive quotes, or a preceding backslash, depending on DBMS). ... The API for your database client library should include a function that will escape input such that it won't interfere with an SQL statement. ... Some query functions may avoid SQL injection by separating parameters from the SQL statement itself, thereby preventing values from altering the structure of that statement. ...
      (comp.lang.javascript)
    • Re: DB-API execute params, am I missing something?
      ... escape and quote parameters -- it only returns strings that are safe for ... insertion into the SQL statement. ...
      (comp.lang.python)
    • Re: DB-API execute params, am I missing something?
      ... escape and quote parameters -- it only returns strings that are safe for ... insertion into the SQL statement. ...
      (comp.lang.python)
    • Re: DB-API execute params, am I missing something?
      ... escape and quote parameters -- it only returns strings that are safe for ... insertion into the SQL statement. ...
      (comp.lang.python)