|
|
Posted by noor.rahman@gmail.com on 12/18/58 11:49
Use PHP 5's mysqli class. It allows query parameters to be binded and
hence forces us to explicitly declare the type of parameter being
passed (string/double/integer/blob). This way, SQL injections that you
mentioned can be prevented.
Hope this helps.
frizzle wrote:
> Chung Leong wrote:
> > howachen@gmail.com wrote:
> > > Hi,
> > >
> > > In many web articles, people focusing on SQL injection in the form of :
> > >
> > >
> > > e.g.
> > > /**********************************************************/
> > > $name = "tom' UNION blah blah blah"
> > > $query = "SELECT * FROM users WHERE name = '".$name."';
> > > /**********************************************************/
> > >
> > > However, another form of SQL injection might in the form of...
> > >
> > > /**********************************************************/
> > > $name = "1 UNION blah blah blah"
> > > $query = "SELECT * FROM users WHERE id = ".$name;
> > > /**********************************************************/
> > >
> > > for case 1, we can easily solved by escaping the special characters
> > > like " ' ", but how to solve for case 2?
> > >
> > > Thanks.
> >
> > Yeah, that's something that's often overlooked. What you want to do is
> > cast the variable to integer. PHP will convert a string that's not a
> > number into zero, an attempt at SQL injection would yield an no-op.
> >
> > Also keep an eye out for IN constructs:
> >
> > $sql = "SELECT * FROM users WHERE id IN (" . implode(',',
> > $_POST['checkboxes']) .")";
> >
> > An easy way to prevent injection in this case is to use a intval() on
> > every element with the help of array_map().
>
> but what i forgot is to enclose the variable part of the query (WHERE
> clause) within those single quotation marks. That should have it treat
> is as a string ...
>
> Frizzle.
Navigation:
[Reply to this message]
|