On Wed, 30 May 2001, Ryan Fox wrote: > One more point here. > > > Simply adding a quote is not the proper way to handle this in PHP. > > Not really. There are other malicious characters that can be used in sql > statements. The one in the front of my mind is ";", used to terminate a > query and begin a new one. Think of $IDNumber=";drop database foo". (This > can be helped by using a database with proper access controls set up, so the > user the web process normally connects as does not have permission to drop a > database. I don't know if this product sets itself up like that by > default). > > Good programming practice is to code a function specifically to strip any > possible malicious characters out of strings, and wrap it around every > variable put into a query, whether it should be user-supplied or not. > Addslashes is a good function to call from your stripping function, but it > should not be your only line of defense. > > Ryan Fox > > > The only malicious character in an SQL query executed from php is '. If you have for example: select * from kokos where user='$user' and $user=';drop database totos;' then the SQL query will be: select * from kokos where user=';drop database totos;' and that's ONE SQL statement. the ; inside the quotes is simply part of a STRING. The only way to get out of a string is with a ' and the ' gets stripped out with addslashes. If the user supplied variable isn't treated as a string but as part of the SQL statement then you have to escape ; as well. Steve Stavropoulos
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 12:20:49 PDT