Posted by Jerry Stuckle on 06/28/07 22:40

Malcolm Dew-Jones wrote:
> jb (jbriere@gmail.com) wrote:
> : Hi all, ive been tasked with reviewing a php app for sql injection
> : vulnerabilities left behind by another developer.
>
> Use bind variables, Some oracle examples to illustrate how
>
> (old link, is this still around?)
>
> http://www.oracle.com/ technology/ pub/ articles/
> oracle_php_cookbook/ ullman_bindings.html
>
>
> You're using mysql so use either of the following interfaces
>
> 1) mysql via mysqli (look for "bind")
>
> http://ca.php.net/mysqli
>
>
> 2) mysql without mysqli
>
> <quote>
> Andy Hassall
> Sep 6, 2:28 pm
> ...
> I recommend using the ADOdb library
> (http://adodb.sourceforge.net/).
> </quote>
>
>

Bind variables are not necessary is you use mysql_real_escape_string and
otherwise validate your data (i.e. a numeric value is truly numeric).


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: Question re: sql injection
• Prev in forum: Re: php speed compared to C++ cgi
• Thread view: Re: Question re: sql injection

[Reply to this message]