> 2. ' or " can protect integers well when used properly. Assume that > there is an URL like http://something/show.php?id=10 and in PHP page it > is called like: > > mysql_query("select * from table where id=".addslashes($id)); > > Intruder changes URL to http://something/show.php?id=10%20or%201=1%34 > which changes command to: select * from table where id=10 or 1=1 > > I do not want go into more details as script kiddies also read this list > but this is many ways to use it. There is not much in MySQL we can do to > change this behaviour. The way you seem we suggest to avoid attacks and > you are ironic about is making it: > > mysql_query("select * from table where id='".addslashes($id)."'"); > which comes to: > select * from table where id='10 or 1=1' > or > select * from table where id='10\' or 1=1' This is slightly off-topic, but I though I'd offer a possible solution to this problem. The way I dealt with this in PHP is by writing a function to validate input (i.e. Make sure there's nothing but an integer coming in as a parameter). There's probably a half-dozen ways to rewrite this function more efficiently, but at least it works... function req_int($num) { // Take the input, convert it to an int, and then back to a string. If the // result of this mess is exactly equal to the original input, then it's // clean. Otherwise, someone's messing with us. $stripped_var = strval(intval($num)); if ($num == $stripped_var){ return intval($num); } else { die("Error. This invalid access attempt has been logged."); } } // ... Buried somewhere in the main code ... // Run this through our checker, and make sure it's a valid digit. $num = req_int($id); $query = "select * from web_fac where id LIKE \"$num\""; --dmurphy AT nbvb DOT com
This archive was generated by hypermail 2b30 : Sun Sep 16 2001 - 19:24:01 PDT