|
Posted by Richard Lynch on 04/12/05 01:12
On Mon, April 11, 2005 12:16 am, info@globalissa.com said:
> I have a quick question: To use a custom solution for inhibiting sql
> injection attacks and not a database specific solution like
> mysql_real_escape_string()
>
> http://php.net/manual/en/function.mysql-real-escape-string.php
>
> ... that will run on any database, not just MySql, would the following be
> a viable solution:
>
> a. addslashes() to all variables and
> b. remove specific unwanted characters from input including:
>
> -- [comment sign in SQL]
> ' [single quote]
No.
# is the comment sign in SQL
No, wait, it's /* ... */
No, wait, there is no comment sign in SQL.
Which database are you using?
> It is possible to just destroy the unwanted characters in a login form and
> prohibit use of those characters in username and password fields.
That also can help, but you want some alphanumeric *AND* punctuation for
good passwords.
> Would a. plus b. above provide reasonably good protection to inhibit sql
> injection attacks, or what is the best database independent approach using
> php and not a database function?
class PlatformIndependentDatabase () {
var $platform;
/* Constructor sets $platform to 'mysql', or 'pgsql' or 'sql-server' ... */
function escape_string ($string){
switch ($this->platform){
case 'mysql': return mysql_real_escape_string($string); break;
case 'pgsql': return pg_real_escapge_string($string); break;
default: error_log("$this->platform has NO escape string?!"); return
$string; break;
}
}
}
Disclaimer: I don't use platform-independent db code, cuz I don't expect
to switch any time, and I don't use objects, cuz I'm a solo author and can
write better/faster code without them, so I likely have syntax errors in
the above.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|