|
|
Posted by Malcolm Dew-Jones on 11/18/05 04:18
www.douglassdavis.com (doug@douglassdavis.com) wrote:
: I have an idea for preventing sql injection attacks, however it would
: have to be implemented by the database vendor. Let me know if I am on
: the right track, this totally off base, or already implemented
: somewhere...
: Lets say you could have a format string such as in printf
: $format=" SELECT %s FROM %s WHERE id='%s' ";
: $fieldname="last_name";
: $tablename="personel";
: $id="425";
: and you could execute a query like
: mysql_query_formatted($format, $fieldname, $tablename, $id);
: now, the key is that instead of just adding the $fieldname, $tablename,
: $id to the $format string and passing it to mysql_query, it would be
: passed to the parser as separate strings. The parser should know how
: to handle that format. That way, the parser would always know where
: the different tables names, field names, and other strings start and
: end. So, the problem of injection attacks caused by some one confusing
: the parser by entering things like ' and " is gone.
: It would be easier on the programmer. There would be no need to worry
: about escape characters when passing to this function, the strings
: would not have to be escaped.. The parser would no longer have to
: guess where the boundaries are. No more worrying about injection
: attacks.
: does that make sense?
Yes it makes a lot of sense, they are called "bind variables", and they
are implemented by vendors such as Oracle.
Quoting myself from an earlier post
oracle examples
http://www.oracle.com/ technology/ pub/ articles/
oracle_php_cookbook/ ullman_bindings.html
mysql via mysqli (look for "bind")
http://ca.php.net/mysqli
mysql without mysqli
<quote>
Andy Hassall
Sep 6, 2:28 pm show options
...
I recommend using the ADOdb library
(http://adodb.sourceforge.net/).
</quote>
--
This programmer available for rent.
Navigation:
[Reply to this message]
|