|
|
Posted by shimmyshack on 06/29/07 11:22
On Jun 29, 9:10 am, gosha bine <stereof...@gmail.com> wrote:
> On 29.06.2007 00:50 Jerry Stuckle wrote:
>
>
>
> > Chris Hope wrote:
> >> Jerry Stuckle wrote:
>
> >>> Malcolm Dew-Jones wrote:
> >>>> jb (jbri...@gmail.com) wrote:
> >>>> : Hi all, ive been tasked with reviewing a php app for sql injection
> >>>> : vulnerabilities left behind by another developer.
>
> >>>> Use bind variables, Some oracle examples to illustrate how
>
> >> [snip]
>
> >>> Bind variables are not necessary is you use mysql_real_escape_string
> >>> and otherwise validate your data (i.e. a numeric value is truly
> >>> numeric).
>
> >> But using bind variables means you don't need to bother escaping the
> >> data, because it's handled for you automatically.
>
> > Sure. But then you have to set up the query for binding then bind the
> > variables. Extra work over simple SQL, either way.
>
> > Don't get me wrong - I'm all for bind variables. I started using them
> > with DB2 in the 80's when you had to use bind variables (or go through a
> > lot of hoops dynamically preparing statements).
>
> > I'm just pointing out that it's not necessary to use them to protect
> > against sql injection.
>
> It might be interesting for you to have a look at this blog post
>
> http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-...
>
> --
> gosha bine
>
> extended php parser ~http://code.google.com/p/pihipi
> blok ~http://www.tagarga.com/blok
this problem occurs because the mysql_real_escape_string is not using
the character set that mysql is told to use in the query, so to
prevent this type of problem, set your character set before the query,
so allowing mysql_real_escape_string to take it into accunt, and after
that inside the query itself for the benefit of letting mysql know,
and then youre ok again. common sense really.
Navigation:
[Reply to this message]
|