combatting SQL injection?

[tinny]

I use ORM alot so this problem is largely taken care of for me (E.g Hibernate uses parametrized queries). However even if you are using ORM you need to be aware of a few things.

FYI:
http://www.owasp.org/index.php/Inter...#ORM_Injection

(Even if you are not directly using SQL this can be a problem)

[drubin]

This is something I brought up that has been kicked around in the IRC channel.

So now, I am giving this idead a wider audience.

What about using urlencode() before inserting a string to combat SQL injection? (then using urldecode() before printing it)

LOL I finally found the post Can is paste the 10k of logs files for the discussion

But here is the just of it. sql escaping should only change the syntax *not* the data that is actually stored. Your method actually changes the data set(It also increases it makes more data to store).

Seems like taking a jack hammer to open a peanut.

Also this approach is not valid for mysql uses the '%' sign for wild card comparison. url encoding stuff will all wile cards when they are not supposed to be there.

Code:

SELECT * FROM a WHERE d LIKE '%drubin'

In your way this would be

Code:

SELECT * FROM a WHERE d LIKE '%25drubin'

but the "d" column only contains drubin,asdf_drubin but none of those would be found with your method. (as there was not "escaping" on insert because % was not inserted. )