> SQL injection works via substituting an SQL query to a > variable. Query strings that are not transformed properly > prior to being executed are most vulnerable to such.
> If you've got a web application that would access a database > (e.g. e-commerce, secure logins, data drawn from database, etc) > then SQL injection may be applicable to your case.
> To prevent it, consider the following: > 1) Proactive measures in coding. Code with security in mind. > 2) Proper permissions for database users at the RDBMS level. > 3) Transform query strings to proper format (e.g. sprinf(), among others). > 4) Activities that require database manipulation should be done under > secure HTTP. > 5) Do not unnecessarily expose the database port without encryption > to an insecure network.
> And well,... pray that you won't get cracked :D
The simplest and most foolproof way to prevent SQL injection is to just remember to quote every single GET/POST variable you put in an SQL query. You can't inject any SQL if you can't inject quotes in the GET/POST variable. In PHP, just do:
addslashes($getvar)
Of course, the problem is this can get tedious and you may forget to do it(*). Then there's also the headache of unescaping afterwards and dealing with inadvertent double-escaping. Depending on your php.ini settings, PHP will sometimes escape and unescape GET/POST variables automatically.
The whole issue of escaping and unescaping is, in fact, one of the ugliest and most maddening aspects of PHP (and web programming in general). Advanced web UI programming requires dealing with SQL, HTML entity, and Javascript quote escaping, often at the same time, and believe me, it can get REAL TRICKY.
Inexperienced programmers will code up something that seems to work correctly, but which will quickly break the moment you start using special characters in form input. Incorrectly displayed strings or worse, a security hole, are the result.
(*) If you use the excellent PHP-ADODB library found at http://adodb.sourceforge.net (Python version coming along...), I believe it prevents SQL injection attacks even if you forget to do character-escaping in your GET/POST variables because it does not seem to allow multiple SQL statements in one query call.
-- reply-to: a n d y @ n e t f x p h . c o m -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
