|
|
Posted by Iván Sánchez Ortega on 12/18/06 15:39
Erwin Moller wrote:
> I use ADODB lib (www.phplens.com/adodb) as a databaseabstractionlayer.
> It has a funtion named qstr() that will make a string ready to use in an
> insert or update statement.
Quick reminder, guys: *ALWAYS* use these kind of functions before putting a
string into *ANY* SQL statement.
Yeah, that means that "select" statements are vulnerable to injections too.
And any other SQL statement you can think of, is too, if it includes a
user-defined string.
> if magicquotes are on if leaves the string as is.
> Otherwise it uses mysql_real_escape_string().
>
> But since mysql_real_escape_string() escapes more than addslashes(), I
> wonder if adodb is doing the right thing.
>
> addslashes works on: ", ', \, and the NULL-byte
> mysql_real_escape_string works on: \x00, \n, \r, \, ', " and \x1a.
>
> So \n, \r, \x1a are NOT escaped.
> Can any of these be used for SQL-injection?
[...]
For a SQL injection to be sucessful, the attacker must include a quote. If
you escape the quotes, you *should* be safe. Inserting a line break will
most likely stop the execution of the SQL statement.
But, in case of doubt, please use a vulnerability check suite: they'll try
every SQL injection system known. I can't recall the names of any right
now, so STFW to find 'em.
--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
Navigation:
[Reply to this message]
|