|
|
Posted by Chung Leong on 10/17/70 11:49
howachen@gmail.com wrote:
> Hi,
>
> In many web articles, people focusing on SQL injection in the form of :
>
>
> e.g.
> /**********************************************************/
> $name = "tom' UNION blah blah blah"
> $query = "SELECT * FROM users WHERE name = '".$name."';
> /**********************************************************/
>
> However, another form of SQL injection might in the form of...
>
> /**********************************************************/
> $name = "1 UNION blah blah blah"
> $query = "SELECT * FROM users WHERE id = ".$name;
> /**********************************************************/
>
> for case 1, we can easily solved by escaping the special characters
> like " ' ", but how to solve for case 2?
>
> Thanks.
Yeah, that's something that's often overlooked. What you want to do is
cast the variable to integer. PHP will convert a string that's not a
number into zero, an attempt at SQL injection would yield an no-op.
Also keep an eye out for IN constructs:
$sql = "SELECT * FROM users WHERE id IN (" . implode(',',
$_POST['checkboxes']) .")";
An easy way to prevent injection in this case is to use a intval() on
every element with the help of array_map().
Navigation:
[Reply to this message]
|