|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: PHP for preventing SQL injections?
From: Harry M (harrym
the-group.org)
Date: Wed Sep 17 2003 - 15:04:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That's what I use:
<?php
...
if(!is_integer($SomeVar)){
// bail out
}
$Query = "some_sql_here";
...
?>
Assuming there's no reasonable way a supposedly int value could become
something else, I often ipban people temporarily or invalidate sessions when
these kinds of checks fail - on the reasoning that only naughty people
should be affected.
Harry
----- Original Message -----
From: <cipherzslamsoft.dk>
To: "wilfrid" <wilfriddigifactory.fr>; "Security OnLine.tk"
<securityonlineemail.it>
Cc: <webappsecsecurityfocus.com>
Sent: Wednesday, September 17, 2003 11:52 AM
Subject: Re: PHP for preventing SQL injections?
Not sure if it has been mentioned but what about the php function:
is_integer ?
/ciph
----- Original Message -----
From: "wilfrid" <wilfriddigifactory.fr>
To: "Security OnLine.tk" <securityonlineemail.it>
Cc: <webappsecsecurityfocus.com>
Sent: Wednesday, September 17, 2003 6:27 AM
Subject: Re: PHP for preventing SQL injections?
> For this kind of request, if your $id is an INT, you can avoid all
> injjection by an intval() :
>
> $string = "SELECT * FROM tblTable WHERE ID=".intval($id);
>
> if $id contains non-number caracters, it will return 0.
>
> Wilfrid.
>
> Security OnLine.tk a écrit:
>
> >
> >I know something to use in ASP, but it could be good also in PHP
> >in ASP, you got a string with the SQL commands:
> >
> >string = "SELECT * FROM tblTable WHERE ID=' & id & '"
> >
> >to prevent a SQL injection attack:
> >
> >string = "SELECT * FROM tblTable WHERE ID=(' & id & ')"
> >
> >in PHP you could do something like this
> >
> >$sql_cmds = "SELECT * FROM tblTable WHERE ID=(' . id . ')";
> >
> >check if this works
> >
> >David a.k.a. hanska
> >
> >
> >-------Original Message-------
> >
> >From: Lefevre, Steven
> >Date: martedì 16 settembre 2003 23.38.58
> >To: webappsecsecurityfocus.com
> >Subject: PHP for preventing SQL injections?
> >
> >Hey folks -
> >
> >Does anyone know of a regexp for checking SQL strings for injection
> >attempts?
> >
> >Steve Lefevre
> >Network Administrator
> >IMI International, Inc.
> >614.839.2500
> >
> >.
> >
> >
> >
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]