|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: PHP for preventing SQL injections?
From: wilfrid (wilfrid
digifactory.fr)
Date: Wed Sep 17 2003 - 00:27:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
For this kind of request, if your $id is an INT, you can avoid all
injjection by an intval() :
$string = "SELECT * FROM tblTable WHERE ID=".intval($id);
if $id contains non-number caracters, it will return 0.
Wilfrid.
Security OnLine.tk a écrit:
>
>I know something to use in ASP, but it could be good also in PHP
>in ASP, you got a string with the SQL commands:
>
>string = "SELECT * FROM tblTable WHERE ID=' & id & '"
>
>to prevent a SQL injection attack:
>
>string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"
>
>in PHP you could do something like this
>
>$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";
>
>check if this works
>
>David a.k.a. hanska
>
>
>-------Original Message-------
>
>From: Lefevre, Steven
>Date: martedì 16 settembre 2003 23.38.58
>To: webappsecsecurityfocus.com
>Subject: PHP for preventing SQL injections?
>
>Hey folks -
>
>Does anyone know of a regexp for checking SQL strings for injection
>attempts?
>
>Steve Lefevre
>Network Administrator
>IMI International, Inc.
>614.839.2500
>
>.
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]