|
|
Posted by Chung Leong on 10/17/53 11:49
frizzle wrote:
> Chung Leong wrote:
> > howachen@gmail.com wrote:
> > > Hi,
> > >
> > > In many web articles, people focusing on SQL injection in the form of :
> > >
> > >
> > > e.g.
> > > /**********************************************************/
> > > $name = "tom' UNION blah blah blah"
> > > $query = "SELECT * FROM users WHERE name = '".$name."';
> > > /**********************************************************/
> > >
> > > However, another form of SQL injection might in the form of...
> > >
> > > /**********************************************************/
> > > $name = "1 UNION blah blah blah"
> > > $query = "SELECT * FROM users WHERE id = ".$name;
> > > /**********************************************************/
> > >
> > > for case 1, we can easily solved by escaping the special characters
> > > like " ' ", but how to solve for case 2?
> > >
> > > Thanks.
> >
> > Yeah, that's something that's often overlooked. What you want to do is
> > cast the variable to integer. PHP will convert a string that's not a
> > number into zero, an attempt at SQL injection would yield an no-op.
> >
> > Also keep an eye out for IN constructs:
> >
> > $sql = "SELECT * FROM users WHERE id IN (" . implode(',',
> > $_POST['checkboxes']) .")";
> >
> > An easy way to prevent injection in this case is to use a intval() on
> > every element with the help of array_map().
>
> but what i forgot is to enclose the variable part of the query (WHERE
> clause) within those single quotation marks. That should have it treat
> is as a string ...
>
> Frizzle.
Well, if it's meant to be a string, then it wouldn't have worked in the
first place. If a variable is supposed to be a number, then casting it
to int prevents it from being something else.
Navigation:
[Reply to this message]
|