Re: SQL Injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Govinda <govinda.webdnatalk@xxxxxxxxx> wrote:

>>> Ah, but what if I use sqlite or postgres?
>> 
>> Or Firebird ;)
>
>good point.
>
>
>>> IMHO, the discussion needs to be a the best way to prevent SQL
>injection across
>>> all possible DB types.  Not just mysql.
>> 
>> The main thing to avoid is building queries from elements that are
>directly loaded from the form inputs. While it is difficult to build
>sort elements for queries that use parameters, having a mechanism like
>ADOdb's datadict where one can filter SQL based on the identified field
>names does make life easier.
>> 
>> While the problems of dealing with student names such as 'Delete from
>student' are easily solved by only using them in parameter arrays.
>> 
>> A few simple basics cover the vast majority of traditional SQL
>injection problems?
>
>Yes, apparently.   
>
>Part of why I even asked is to get a sense of the shelf life on legacy
>code (that relies on escaping) which I am not keen to have to re-write,
>for free, until I really must.
>
>
>-Govinda
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

I think you can happily sanitise data where it makes sense, and use bound parameters elsewise. So when you expect a number, its easy to check for and force a sensible default. Likewise for things like dates, or names of articles (probably a popular need with a CMS) you can check and enforce particular characters.

Outside of that, without bound params you run a potential risk (even if only slight). You can do stuff like base64 encode values, but then you lose a lot of the ability to search through your DB after.

Thanks,
Ash
http://ashleysheridan.co.uk

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux