Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Blind SQL Injection / Stored procedures
From: LAROUCHE Francois (Francois.Laroucheaccorservices.com)
Date: Fri Nov 18 2005 - 04:55:00 CST
The first thing I can tell on PHP since I don't much about it, is the use of the magic quotes option. You should find valuable information on this topic on google. However you have to know that there are some problems with it. Read it carefully.
Now the problem with PHP is that under the version 5 (not sure at 100%) there is nothing that prevents SQL injection since the SQL is inline in the code. Even with magic quotes it's dangerous since you can achieve SQL injection without a single quote (when there is an integer argument for instance).
There is another option that I found was a database abstraction layer package made by PEAR, it works on PHP 4 and 5 and should be free (pear.php.net/package/DB). Now I don't know if it's a good product or not, or really secure but you can always try. I just know they use their own prepared statement and quote stripping.
P.S. It's not a good idea to talk openly of your architecture on the net, not all people in this list are pure of heart :) Nasa is a attractive place...
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictly
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.