Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
11  1930 
howac...@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
I believe it would treat 1 UNION blah blah blah as a string, meaning
the query would look like
SELECT * FROM users here id = '1 UNION blah blah blah'
Frizzle.
frizzle wrote: howac...@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
I believe it would treat 1 UNION blah blah blah as a string, meaning
the query would look like
SELECT * FROM users here id = '1 UNION blah blah blah'
Frizzle.
However, The resulting query is :
SELECT * FROM users WHERE id = 1 UNION blah blah blah
and it worked! ho******@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
Yeah, that's something that's often overlooked. What you want to do is
cast the variable to integer. PHP will convert a string that's not a
number into zero, an attempt at SQL injection would yield an no-op.
Also keep an eye out for IN constructs:
$sql = "SELECT * FROM users WHERE id IN (" . implode(',',
$_POST['checkboxes']) .")";
An easy way to prevent injection in this case is to use a intval() on
every element with the help of array_map().
Chung Leong wrote: ho******@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
Yeah, that's something that's often overlooked. What you want to do is
cast the variable to integer. PHP will convert a string that's not a
number into zero, an attempt at SQL injection would yield an no-op.
Also keep an eye out for IN constructs:
$sql = "SELECT * FROM users WHERE id IN (" . implode(',',
$_POST['checkboxes']) .")";
An easy way to prevent injection in this case is to use a intval() on
every element with the help of array_map().
but what i forgot is to enclose the variable part of the query (WHERE
clause) within those single quotation marks. That should have it treat
is as a string ...
Frizzle.
Use PHP 5's mysqli class. It allows query parameters to be binded and
hence forces us to explicitly declare the type of parameter being
passed (string/double/integer/blob). This way, SQL injections that you
mentioned can be prevented.
Hope this helps.
frizzle wrote: Chung Leong wrote: ho******@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
Yeah, that's something that's often overlooked. What you want to do is
cast the variable to integer. PHP will convert a string that's not a
number into zero, an attempt at SQL injection would yield an no-op.
Also keep an eye out for IN constructs:
$sql = "SELECT * FROM users WHERE id IN (" . implode(',',
$_POST['checkboxes']) .")";
An easy way to prevent injection in this case is to use a intval() on
every element with the help of array_map().
but what i forgot is to enclose the variable part of the query (WHERE
clause) within those single quotation marks. That should have it treat
is as a string ...
Frizzle. ho******@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
This dynamic query forming is the root cause of the problem.
Here is how to solve it:
require_once ('adodb/adodb.inc.php');
require_once ('adodb/adodb-exceptions.inc.php');
$db = NewADOConnection("oci8");
$SQL="SELECT * FROM users WHERE name = :NAME";
try {
$db->Connect($DSN['database'], $DSN['username'],$DSN['password']);
$db->execute($SQL,array("NAME"=>$name));
}
catch(Exception $e) {
die($e->getMessage());
}
The only difference from your situation is the use of "oci8" driver
which is unlikely to work with MySQL. Everything else will work,
including placeholders. That way, you not only eliminate any possibility
for SQL injection but you also help the underlying database as it can
reuse previously parsed cursor. Entering SQL expressions will not have
any effect, as the variable is bound to a placeholder, not used to
create SQL dynamically.
--
Mladen Gogala http://www.mgogala.com
frizzle wrote: Chung Leong wrote: ho******@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
Yeah, that's something that's often overlooked. What you want to do is
cast the variable to integer. PHP will convert a string that's not a
number into zero, an attempt at SQL injection would yield an no-op.
Also keep an eye out for IN constructs:
$sql = "SELECT * FROM users WHERE id IN (" . implode(',',
$_POST['checkboxes']) .")";
An easy way to prevent injection in this case is to use a intval() on
every element with the help of array_map().
but what i forgot is to enclose the variable part of the query (WHERE
clause) within those single quotation marks. That should have it treat
is as a string ...
Frizzle.
Well, if it's meant to be a string, then it wouldn't have worked in the
first place. If a variable is supposed to be a number, then casting it
to int prevents it from being something else. ho******@gmail.com wrote: Hi,
<snip> However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Use prepared statements. FWIW,
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Mladen Gogala 寫道: ho******@gmail.com wrote: Hi,
In many web articles, people focusing on SQL injection in the form of :
e.g.
/************************************************** ********/
$name = "tom' UNION blah blah blah"
$query = "SELECT * FROM users WHERE name = '".$name."';
/************************************************** ********/
However, another form of SQL injection might in the form of...
/************************************************** ********/
$name = "1 UNION blah blah blah"
$query = "SELECT * FROM users WHERE id = ".$name;
/************************************************** ********/
for case 1, we can easily solved by escaping the special characters
like " ' ", but how to solve for case 2?
Thanks.
This dynamic query forming is the root cause of the problem.
Here is how to solve it:
require_once ('adodb/adodb.inc.php');
require_once ('adodb/adodb-exceptions.inc.php');
$db = NewADOConnection("oci8");
$SQL="SELECT * FROM users WHERE name = :NAME";
try {
$db->Connect($DSN['database'], $DSN['username'],$DSN['password']);
$db->execute($SQL,array("NAME"=>$name));
}
catch(Exception $e) {
die($e->getMessage());
}
The only difference from your situation is the use of "oci8" driver
which is unlikely to work with MySQL. Everything else will work,
including placeholders. That way, you not only eliminate any possibility
for SQL injection but you also help the underlying database as it can
reuse previously parsed cursor. Entering SQL expressions will not have
any effect, as the variable is bound to a placeholder, not used to
create SQL dynamically.
--
Mladen Gogala
http://www.mgogala.com
hello,
how to use placeholder without adodb ?
(PHP4)
thanks...
Mladen Gogala 寫道: ho******@gmail.com wrote: Mladen Gogala 寫道:
One and only.
hello,
how to use placeholder without adodb ?
(PHP4)
thanks...
PDO also supports placeholders.
--
Mladen Gogala
http://www.mgogala.com
well, PDO only ship with PHP5, what is the best practice for DB query
in PHP4?
thanks anyway... This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: diroddi |
last post by:
In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?
Also, does...
|
by: PinkBishop |
last post by:
Hello All,
Hope you can help.
Below is the code I use to send data from form to database.
Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form...
|
by: stokefan |
last post by:
Hi all,
I wondered if anyone knew if it was possible to delete entries in an MS
Access database table from just entering data into it?
I shall explain :
If you have a web form (in asp.net...
|
by: Drew |
last post by:
I need to iterate through a submitted form, inserting data on each pass. In
the past, I have always used form elements that were named with numbers at
the end, like this,
name1 relationship1...
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form...
|
by: Scott |
last post by:
I've been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
don't want to use the "enter the code shown in the...
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any...
|
by: Sithlord999 |
last post by:
Hello.
I'm working on an email form on Dreamweaver and I'm looking for a PHP code to make it work. The form with some required fields would send the submitted information and two image attachments...
|
by: mikeinspain |
last post by:
hi there..
I have a php form script that is pretty much there... I am however having a problem when I go to test the form. the mail comes through into my inbox displaying the information ok...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
