|
|
Posted by Andy Hassall on 09/07/05 01:28
On 6 Sep 2005 14:27:47 -0700, "frizzle" <phpfrizzle@gmail.com> wrote:
>I was wondering the folllowing: when i insert something
>into a mySQL DB -in a guestbook for instance- i mostly use
>mysql_escape_string($_POST['comment').
Right, there's the problem to start with: "mostly use". At some point you will
forget to use it, and you've got a potential SQL injection attack opened up.
I recommend using the ADOdb library (http://adodb.sourceforge.net/). This puts
a wrapper around database access which handles escaping for you by emulating
placeholders - or using the database's native support if it has it (older MySQL
doesn't, newer MySQL does, as do other databases such as Oracle that it
supports).
Instead of using the raw MySQL calls and embedding values into SQL:
$res = mysql_query(
"insert into t (x, y) values (" .
"'" . mysql_real_escape_string($value_x) . "'," .
"'" . mysql_real_escape_string($value_y) . "'" .
")"
);
... you'd use the ADOdb functions such as:
$db->Execute(
'insert into t (x,y) values (?,?)',
array($value_x, $value_y)
);
The library does whatever is required to get the values into the database -
consistently and without you having to worry about quotes, escaping and so on.
If you follow the simple rule that you never put variables (or at least, user
input) into SQL statement strings, you always "bind" them separately like this,
it eliminates the vast majority of SQL injection issues.
--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Navigation:
[Reply to this message]
|