sprintf for SQL injection testing | | | re: sprintf for SQL injection testing
Hello all -
I'm looking at web pages describeing how to prevent SQL injections
with PHP. All of them metion mysql_real_escape_string. However, I
recall mention of sprintf at some time in the past.
Is mysql_real_escape_string sufficient to prevent injections, or
should $_POST or $_GET data also be checked with sprintf ?
| | | lawpoop@gmail.com wrote: Quote:
Hello all -
>
I'm looking at web pages describeing how to prevent SQL injections
with PHP. All of them metion mysql_real_escape_string. However, I
recall mention of sprintf at some time in the past.
>
Is mysql_real_escape_string sufficient to prevent injections, or
should $_POST or $_GET data also be checked with sprintf ?
>
sprintf() doesn't check strings for sql injection. It merely formats
data into a string.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. jstucklex@attglobal.net
================== | | | | re: sprintf for SQL injection testing
lawpoop@gmail.com schreef: Quote:
Hello all -
>
I'm looking at web pages describeing how to prevent SQL injections
with PHP. All of them metion mysql_real_escape_string. However, I
recall mention of sprintf at some time in the past.
>
Is mysql_real_escape_string sufficient to prevent injections, or
should $_POST or $_GET data also be checked with sprintf ?
Hi,
mysql_real_escape_string is enough to prevent SQL injection.
(Or use prepared statements.)
I am not sure if sprintf() is the right way to avoid injection, but
without an example, I cannot tell. ;-)
Regards,
Erwin Moller | | | | re: sprintf for SQL injection testing
..oO(lawpoop@gmail.com) Quote:
>I'm looking at web pages describeing how to prevent SQL injections
>with PHP. All of them metion mysql_real_escape_string. However, I
>recall mention of sprintf at some time in the past.
>
>Is mysql_real_escape_string sufficient to prevent injections, or
>should $_POST or $_GET data also be checked with sprintf ?
mysql_real_escape_string() or prepared statements (PDO) are the way to
go to prevent SQL inhection. sprintf() has nothing to do with databases
and doesn't escape anything, but of course it can be really useful to
create complex queries or other strings.
Micha | | | | re: sprintf for SQL injection testing
On Apr 14, 11:29 am, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote: Quote:
I am not sure if sprintf() is the right way to avoid injection, but
without an example, I cannot tell. ;-)
Well, IIRC, it wasn't specifically for SQL injection, but rather for
any sort of malformed data.
Something like
$sql = sprintf( "INSERT INTO table ( field1, field2 ) VALUES ( '%s',
%d )", $_POST['string'], $_POST['number'] ); | | | | re: sprintf for SQL injection testing
lawpoop@gmail.com schreef: Quote:
On Apr 14, 11:29 am, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
> Quote:
>I am not sure if sprintf() is the right way to avoid injection, but
>without an example, I cannot tell. ;-)
>
>
Well, IIRC, it wasn't specifically for SQL injection, but rather for
any sort of malformed data.
>
Something like
>
$sql = sprintf( "INSERT INTO table ( field1, field2 ) VALUES ( '%s',
%d )", $_POST['string'], $_POST['number'] );
>
Hi,
But if $_POST["string"] contains:
bla',2);delete from table;--
you still have SQL injection. :-/
I think.
(Not 100% sure, I seldom need sprintf.)
Regards,
Erwin Moller | | | | re: sprintf for SQL injection testing
On Apr 14, 11:52 am, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote: Quote:
lawp...@gmail.com schreef:
> Quote:
On Apr 14, 11:29 am, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
> Quote: Quote:
I am not sure if sprintf() is the right way to avoid injection, but
without an example, I cannot tell. ;-)
> Quote:
Well, IIRC, it wasn't specifically for SQL injection, but rather for
any sort of malformed data.
> > Quote:
$sql = sprintf( "INSERT INTO table ( field1, field2 ) VALUES ( '%s',
%d )", $_POST['string'], $_POST['number'] );
>
Hi,
>
But if $_POST["string"] contains:
bla',2);delete from table;--
>
you still have SQL injection. :-/
I think.
(Not 100% sure, I seldom need sprintf.)
>
Regards,
Erwin Moller
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that. | | | | re: sprintf for SQL injection testing
lawpoop@gmail.com wrote: Quote:
>
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
Or then again, maybe not. | | | | re: sprintf for SQL injection testing
On Apr 14, 5:29 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote: Quote:
lawp...@gmail.com wrote:
> Quote:
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
>
Or then again, maybe not.
Well, you can use it to prevent SQL injection when you are doing type
checking:
<?
$input = "'5'; DELETE FROM table;";
$sql = "UPDATE table SET value = $input WHERE id = 12";
echo $sql . "\n";
?>
UPDATE table SET value = '5'; DELETE FROM table; WHERE id = 12
<?
$input = "''; SELECT * FROM table;";
$sql = sprintf( "UPDATE table SET value = %d WHERE id = 12", $input );
echo $sql . "\n";
?>
UPDATE table SET value = 0 WHERE id = 12
Although, you wouldn't want a 0 value being updated. Much preferrable
is a syntax error where no value is changed. | | | | re: sprintf for SQL injection testing
On Apr 15, 9:28 am, lawp...@gmail.com wrote: Quote:
On Apr 14, 5:29 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote:
> Quote:
lawp...@gmail.com wrote:
> Quote: Quote:
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
> Quote:
Or then again, maybe not.
>
Well, you can use it to prevent SQL injection when you are doing type
checking:
>
<?
$input = "'5'; DELETE FROM table;";
>
$sql = "UPDATE table SET value = $input WHERE id = 12";
>
echo $sql . "\n";
?>
>
UPDATE table SET value = '5'; DELETE FROM table; WHERE id = 12
>
<?
$input = "''; SELECT * FROM table;";
>
$sql = sprintf( "UPDATE table SET value = %d WHERE id = 12", $input );
>
echo $sql . "\n";
?>
>
UPDATE table SET value = 0 WHERE id = 12
>
Although, you wouldn't want a 0 value being updated. Much preferrable
is a syntax error where no value is changed.
From the PHP site,
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND
password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?> | | | | re: sprintf for SQL injection testing
On Tue, 15 Apr 2008 18:28:08 +0200, <lawpoop@gmail.comwrote: Quote:
On Apr 14, 5:29 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote: Quote:
>lawp...@gmail.com wrote:
>> Quote:
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
>>
>Or then again, maybe not.
>
Well, you can use it to prevent SQL injection when you are doing type
checking:
Well, only when forcibly converting to numbers. Always use <?php, even in examples. Quote:
Although, you wouldn't want a 0 value being updated. Much preferrable
is a syntax error where no value is changed.
Indeed, a ctype_* function and possibly informing the user of an illegal
value would be better.
--
Rik Wasmus | | | | re: sprintf for SQL injection testing
On 15 Apr, 16:28, lawp...@gmail.com wrote: Quote:
On Apr 14, 5:29 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote:
> Quote:
lawp...@gmail.com wrote:
> Quote: Quote:
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
> Quote:
Or then again, maybe not.
>
Well, you can use it to prevent SQL injection when you are doing type
checking:
I didn't say you couldn't did I? | | | | re: sprintf for SQL injection testing
On 15 Apr, 16:48, Mike Camden <camden.mich...@gmail.comwrote: Quote:
On Apr 15, 9:28 am, lawp...@gmail.com wrote:
>
>
> Quote:
On Apr 14, 5:29 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote:
> Quote: Quote:
lawp...@gmail.com wrote:
> Quote: Quote:
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
> Quote: Quote:
Or then again, maybe not.
> Quote:
Well, you can use it to prevent SQL injection when you are doing type
checking:
> Quote:
<?
$input = "'5'; DELETE FROM table;";
> Quote:
$sql = "UPDATE table SET value = $input WHERE id = 12";
> Quote:
echo $sql . "\n";
?>
> Quote:
UPDATE table SET value = '5'; DELETE FROM table; WHERE id = 12
> Quote:
<?
$input = "''; SELECT * FROM table;";
> Quote:
$sql = sprintf( "UPDATE table SET value = %d WHERE id = 12", $input );
> Quote:
echo $sql . "\n";
?>
> Quote:
UPDATE table SET value = 0 WHERE id = 12
> Quote:
Although, you wouldn't want a 0 value being updated. Much preferrable
is a syntax error where no value is changed.
>
From the PHP site,
>
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
>
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND
password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>
What point are you trying to make by posting that extract? |  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 226,449 network members.
|
