Re: Another form of SQL injection

From: "noor.rahman@xxxxxxxxx" <noor.rahman@xxxxxxxxx>
Date: 5 Jun 2006 12:04:18 -0700

Use PHP 5's mysqli class. It allows query parameters to be binded and
hence forces us to explicitly declare the type of parameter being
passed (string/double/integer/blob). This way, SQL injections that you
mentioned can be prevented.

Hope this helps.

frizzle wrote:

Chung Leong wrote:

howachen@xxxxxxxxx wrote:

Hi,

In many web articles, people focusing on SQL injection in the form of :

e.g.
/**********************************************************/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/**********************************************************/

However, another form of SQL injection might in the form of...

/**********************************************************/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/**********************************************************/

for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?

Thanks.

Yeah, that's something that's often overlooked. What you want to do is
cast the variable to integer. PHP will convert a string that's not a
number into zero, an attempt at SQL injection would yield an no-op.

Also keep an eye out for IN constructs:

$sql = "SELECT * FROM users WHERE id IN (" . implode(',',
$_POST['checkboxes']) .")";

An easy way to prevent injection in this case is to use a intval() on
every element with the help of array_map().

but what i forgot is to enclose the variable part of the query (WHERE
clause) within those single quotation marks. That should have it treat
is as a string ...

Frizzle.

References:
- Another form of SQL injection
  - From: howachen
- Re: Another form of SQL injection
  - From: Chung Leong
- Re: Another form of SQL injection
  - From: frizzle

Prev by Date: Re: Another form of SQL injection
Next by Date: accept a download from a remote script
Previous by thread: Re: Another form of SQL injection
Next by thread: Re: Another form of SQL injection
Index(es):
- Date
- Thread

Relevant Pages

Re: Another form of SQL injection
... $name = "tom' UNION blah blah blah" ... another form of SQL injection might in the form of... ... is as a string ... ...
(comp.lang.php)
Re: Another form of SQL injection
... $name = "tom' UNION blah blah blah" ... another form of SQL injection might in the form of... ... is as a string ... ...
(comp.lang.php)
Re: newbe: documentation string length
... >> You are missing the fact that DEFUN et al. expect a string literal as ... >> documentation, not an expression to be evaluated. ... "blah blah blah" ...
(comp.lang.lisp)
Re: Parameter description
... info will show up in the Object Browser as well. ... Public Sub testing(ByVal x As String, ... blah blah blah ...
(microsoft.public.dotnet.languages.vb)
Re: Form login
... Aren't you only leaving yourself open for sql injection if you don't ... make sure that certain characters aren't in the string before you ... allow them into your sql string. ... This email account is my spam trap so I ...
(microsoft.public.inetserver.asp.db)