Staff Emeritus
This is something I brought up that has been kicked around in the IRC channel.
So now, I am giving this idead a wider audience.
What about using urlencode() before inserting a string to combat SQL injection? (then using urldecode() before printing it)
I am infallible, you should know that by now.
"My favorite language is call STAR. It's extremely concise. It has exactly one verb '*', which does exactly what I want at the moment." --Larry Wall
(02:15:31 PM) ***TimToady and snake oil go way back...
42 lines of Perl - SHI - Home Site
Quad Shot of Ubuntu
May work with the most popular database, but seems like an ugly hack.
A good way to do it is by using the DBMS native functions to it. PostgreSQL, by example, have a function to escape strings and have also parametrized queries that do this automatically.
P.S: Also, urlencode can handle other codifications than ASCII?
Last edited by kknd; November 28th, 2008 at 10:22 PM.
Staff Emeritus
I believe so.
The idea is to use some encoding that has a limited character set.
I am infallible, you should know that by now.
"My favorite language is call STAR. It's extremely concise. It has exactly one verb '*', which does exactly what I want at the moment." --Larry Wall
(02:15:31 PM) ***TimToady and snake oil go way back...
42 lines of Perl - SHI - Home Site
Cookies and cream
I imagine there would probably be relatively easy ways around this? Best just to use the escaping functions provided (such as mysql_real_escape_string() I think in PHP) AND cast any GET variables to the correct types?.
A very common error on sites is that they just mysql_real_escape_string($_GET[whatever]) and assume it's safe, but when the value given by POST or GET is an integer this provides no safety at all (unless perhaps the integer is surrounded by quotes in the SQL query anyway).
Saying that you "could care less" about something is implying that you DO care about it, regardless of common usage.
Using it as a way of saying you don't care is simply wrong.
Dipped in Ubuntu
I'm creating joomla mods atm and I just mysql_real_escape_string my queries. I can understand people shoving in modified IDs, but how would casting help? Just curious.
Cookies and cream
If you have "news.php?id=2" and the SQL function wasOriginally Posted by mike_g
Then someone could sendCode:"SELECT title, whatever, blah FROM news WHERE id="+mysql_real_escape_string($GET[id])NONE of that would get escaped because it contains no apostrophes, special characters or quotation marks, it would executeCode:news.php?id=2 UNION ALL SELECT concat(username, char(58,58,58), password) FROM usersWhereas since "id" will always be an integer in database you could cast it before executing statement, if you did "$id = (int)$_GET[id]" then the above example of injection would not work because when casting you an int you're ignoring everything but the "2" at the start.Code:SELECT title, whatever, blah FROM news WHERE id=2 UNION ALL SELECT concat(username, char(58,58,58), password) FROM users
Not sure if I'm explaining clearly.
Saying that you "could care less" about something is implying that you DO care about it, regardless of common usage.
Using it as a way of saying you don't care is simply wrong.
Dipped in Ubuntu
Yeah, dunno. I'm too drunk tom pay attention so I'll thank you anyway; although I'm sure you're right on thisNot sure if I'm explaining clearly.
But its going to mean more work for me tho
Cookies and cream
Only really affects integers, for strings it's fine to just use mysql_real_escape_string() AFAIK.But its going to mean more work for me tho
Saying that you "could care less" about something is implying that you DO care about it, regardless of common usage.
Using it as a way of saying you don't care is simply wrong.
I Ubuntu, Therefore, I Am
personally, I avoid inline SQL in my source. everything runs through parameterized stored procedures. between that and sanitation of all input, it gives me several levels of protection.
good luck,
franklin
Grande Half-n-Half Cinnamon Ubuntu
Posting Permissions
Adv Reply
Bookmarks