Quoting rain forest puppy (rfpat_private): > ----[ 3. Solution <cut> > In the end, *all* (let me repeat that... **ALL**) incoming user data > should be passed through quote(), onlynumbers(), or scrubtable()...NO > EXCEPTIONS! Passing user data straight into a SQL query is asking for > someone to tamper with your database. > > New versions of wwwthreads are available from www.wwwthreads.com, which > implement the solutions pretty much as I've described them here. If the script acessing the database uses DBI, it's better to handle a query the following way: $sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)"); $sth->execute($evil-unquoted-string, $evil-unquoted-other-string); Using the '?' placeholders takes care of quoting, and allows re-execute()ing the query with different parameters. I must admit here, that not all DBI drivers support placeholders, but most do. ofcourse catch the results, and check them. Insertion of non-numerics into your database is checked when you actually _do_ the insert. Greets, Robert/Emphyrio -- | rvdmat_private - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:39 PDT