Quoting rain forest puppy ([EMAIL PROTECTED]):
> ----[ 3. Solution
<cut>
> In the end, *all* (let me repeat that... **ALL**) incoming user data
> should be passed through quote(), onlynumbers(), or scrubtable()...NO
> EXCEPTIONS! Passing user data straight into a SQL query is asking for
> someone to tamper with your database.
>
> New versions of wwwthreads are available from www.wwwthreads.com, which
> implement the solutions pretty much as I've described them here.
If the script acessing the database uses DBI, it's better to handle a query
the following way:
$sth=$dbh->prepare("INSERT INTO table (foo,bar) VALUES (?,?)");
$sth->execute($evil-unquoted-string, $evil-unquoted-other-string);
Using the '?' placeholders takes care of quoting, and allows re-execute()ing
the query with different parameters.
I must admit here, that not all DBI drivers support placeholders, but most do.
ofcourse catch the results, and check them. Insertion of non-numerics into
your database is checked when you actually _do_ the insert.
Greets,
Robert/Emphyrio
--
| [EMAIL PROTECTED] - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
