Posted by Iván Sánchez Ortega on 12/18/06 15:39

Erwin Moller wrote:

> I use ADODB lib (www.phplens.com/adodb) as a databaseabstractionlayer.
> It has a funtion named qstr() that will make a string ready to use in an
> insert or update statement.

Quick reminder, guys: *ALWAYS* use these kind of functions before putting a
string into *ANY* SQL statement.

Yeah, that means that "select" statements are vulnerable to injections too.
And any other SQL statement you can think of, is too, if it includes a
user-defined string.

> if magicquotes are on if leaves the string as is.
> Otherwise it uses mysql_real_escape_string().
>
> But since mysql_real_escape_string() escapes more than addslashes(), I
> wonder if adodb is doing the right thing.
>
> addslashes works on: ", ', \, and the NULL-byte
> mysql_real_escape_string works on: \x00, \n, \r, \, ', " and \x1a.
>
> So \n, \r, \x1a are NOT escaped.
> Can any of these be used for SQL-injection?
[...]

For a SQL injection to be sucessful, the attacker must include a quote. If
you escape the quotes, you *should* be safe. Inserting a line break will
most likely stop the execution of the SQL statement.


But, in case of doubt, please use a vulnerability check suite: they'll try
every SQL injection system known. I can't recall the names of any right
now, so STFW to find 'em.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.

[Back to original message]