Posted by www.douglassdavis.com on 11/18/05 04:21

I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...

Lets say you could have a format string such as in printf

$format=" SELECT %s FROM %s WHERE id='%s' ";
$fieldname="last_name";
$tablename="personel";
$id="425";

and you could execute a query like

mysql_query_formatted($format, $fieldname, $tablename, $id);

now, the key is that instead of just adding the $fieldname, $tablename,
$id to the $format string and passing it to mysql_query, it would be
passed to the parser as separate strings. The parser should know how
to handle that format. That way, the parser would always know where
the different tables names, field names, and other strings start and
end. So, the problem of injection attacks caused by some one confusing
the parser by entering things like ' and " is gone.


It would be easier on the programmer. There would be no need to worry
about escape characters when passing to this function, the strings
would not have to be escaped.. The parser would no longer have to
guess where the boundaries are. No more worrying about injection
attacks.

does that make sense?


--
http://www.douglassdavis.com

[Back to original message]