Posted by Malcolm Dew-Jones on 07/01/07 01:44

Jerry Stuckle (jstucklex@attglobal.net) wrote:
: Malcolm Dew-Jones wrote:
: > jb (jbriere@gmail.com) wrote:
: > : Hi all, ive been tasked with reviewing a php app for sql injection
: > : vulnerabilities left behind by another developer.
: >
: > Use bind variables, Some oracle examples to illustrate how
: >
: > (old link, is this still around?)
: >
: > http://www.oracle.com/ technology/ pub/ articles/
: > oracle_php_cookbook/ ullman_bindings.html
: >
: >
: > You're using mysql so use either of the following interfaces
: >
: > 1) mysql via mysqli (look for "bind")
: >
: > http://ca.php.net/mysqli
: >
: >
: > 2) mysql without mysqli
: >
: > <quote>
: > Andy Hassall
: > Sep 6, 2:28 pm
: > ...
: > I recommend using the ADOdb library
: > (http://adodb.sourceforge.net/).
: > </quote>
: >
: >

: Bind variables are not necessary is you use mysql_real_escape_string and
: otherwise validate your data (i.e. a numeric value is truly numeric).

That is true.

However, bind variables provide a systematic way to solve code injection.
"Systematic" here means the technique does not depend on the skill of the
programmer. A lousy programmer might write a buggy query, but if it's a
static piece of text with bind variables then I know at a glance that code
injection is not one of its flaws.

Bind variables allow me to write queries that are easy to develop and test
in other environments. I use Oracle. I run queries interactively in
sqlplus. The query I run interactively can be copied into code with no
changes whatever if it uses bind variables. That is not true for a query
built using string manipulations.

In some environments (though not mysql yet, as far as I know), bind
variables assist in code optimization because the database engine can
recognize and reuse queries that are identical except for the parameters.

And finally, with a small amount of practise, queries with bind variables
are easier to write because you don't don't have to do the extra work of
coding a series of string manipulations.

$0.10

• Next in forum: Re: For the lif of me I CANNOT find the error cause!....[php parsing error]
• Prev in forum: Re: To allow access only from the designated site.
• Thread view: Re: Question re: sql injection

[Reply to this message]