Actually, user supplied input from $_COOKIES, $_POST, and $_GET comes slash-escaped, so if the user enters ' or 1=1 as their input, the sql statement will look like where some_int='\' or 1=1' This is determined by the PHP directive, magic_quotes_gpc. During script execution, you can execute if (!get_magic_quotes_gpc()){ //code to recurse global variables, calling addslashes() on their values } to ensure that all user supplied input is properly escaped. The proper escaping for ' and " in most databases (excluding Oracle and Sybase only, I believe), is to use \', \", and \\. In Oracle and Sybase, ' and " are escaped as '' and "". Magic quotes in PHP can be configured for Sybase compatibility, see the PHP website. What I do on my portable code, where I can't know whether or not the server it's running on has magic quotes enabled, is use a function like this: function escape($input){ if (get_magic_quotes_gpc()) return $input; return addslashes($input); } and all user input through that. As far as I know, all major databases accept quoted integers and interpret them as standard integers, so *always* quote user input so that they cannot inject SQL. David Walker wrote: >When programming a system that creates sql strings based on passed in integers >i.e. where some_int=$variable_from_querystring >you must always do a check to confirm that that variable contains only numeric >data. > >an alternate fix on sql servers that allow the format >where some_int='1234' -- (quoted numbers) >would be to do >where some_int='replace($variable_from_querystring,"'","''")' >This would cause a more than likely harmless error to occur whenever character >occurs within the passed in numeric/integer variable. > > >
This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 10:26:12 PST