Posted by Malcolm Dew-Jones on 11/18/05 04:18

www.douglassdavis.com (doug@douglassdavis.com) wrote:

: I have an idea for preventing sql injection attacks, however it would
: have to be implemented by the database vendor. Let me know if I am on
: the right track, this totally off base, or already implemented
: somewhere...

: Lets say you could have a format string such as in printf

: $format=" SELECT %s FROM %s WHERE id='%s' ";
: $fieldname="last_name";
: $tablename="personel";
: $id="425";

: and you could execute a query like

: mysql_query_formatted($format, $fieldname, $tablename, $id);

: now, the key is that instead of just adding the $fieldname, $tablename,
: $id to the $format string and passing it to mysql_query, it would be
: passed to the parser as separate strings. The parser should know how
: to handle that format. That way, the parser would always know where
: the different tables names, field names, and other strings start and
: end. So, the problem of injection attacks caused by some one confusing
: the parser by entering things like ' and " is gone.


: It would be easier on the programmer. There would be no need to worry
: about escape characters when passing to this function, the strings
: would not have to be escaped.. The parser would no longer have to
: guess where the boundaries are. No more worrying about injection
: attacks.

: does that make sense?


Yes it makes a lot of sense, they are called "bind variables", and they
are implemented by vendors such as Oracle.

Quoting myself from an earlier post

oracle examples


http://www.oracle.com/ technology/ pub/ articles/
oracle_php_cookbook/ ullman_bindings.html


mysql via mysqli (look for "bind")


http://ca.php.net/mysqli


mysql without mysqli


<quote>
Andy Hassall
Sep 6, 2:28 pm show options
...
I recommend using the ADOdb library
(http://adodb.sourceforge.net/).
</quote>




--

This programmer available for rent.

[Back to original message]