|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: SQL injection and PHP/MYSQL
From: Brad Fults (brad
mipscomputation.com)
Date: Wed Sep 10 2003 - 12:55:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
After using mysql_escape string to insert data into the database, is there
an equal combination of unescaping one should do when the date is pulled
from the database, or is a stripslashes() all that is necessary?
----- Original Message -----
From: "shimi" <shimishimi.net>
To: "Robert Buljevic" <skeptics1c.org>
Cc: <webappsecsecurityfocus.com>
Sent: Tuesday, September 09, 2003 2:10 PM
Subject: Re: SQL injection and PHP/MYSQL
>
> Uhm: http://php.net/mysql-escape-string
>
> On Tue, 9 Sep 2003, Robert Buljevic wrote:
>
> > I'm well aware of the sql injection problem when accepting non-trusted
data.
> > However, I'm interested in a more concrete example, precisely the
PHP/MySQL
> > combination.
> >
> > Suppose I have some input text that's passed to mysql for searching via
http
> > get request.
> > What characters should I allow/disallow?
> > And is it enough to use PHP's addslashes function? If not, why? Could
you
> > provide any example of input that could cause injection even if it's
> > slashed - always referring to the particular case of PHP/MYSQL?
> >
> > Any info would be appreciated... Thanks!
> >
> > Robert Buljevic
> >
>
> --
>
> Best regards,
> Shimi
>
> ----
>
> "Outlook is a massive flaming horrid blatant security violation, which
> also happens to be a mail reader."
>
> -=The best way to accelerate a Windows machine is at 9.81 m/s^2=-
>
> "Sure UNIX is user friendly; it's just picky about who its friends
are."
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]