[thelist] Web Database Security (was: how did they hack...)

Simon Coggins ppxsjc1 at unix.ccc.nottingham.ac.uk
Thu Apr 19 10:51:16 CDT 2001


> http://www.webreview.com/2001/04_13/developers/index02.shtml

That's a good article, but it did leave me with one question:

I can understand how you can validate some fields to prevent malicious
attacks (such as checking IDs are integers), but what do you do about text
fields?

At present I use sql like this in my PHP/MySQL applications:

INSERT INTO TableName (name,email,comment) VALUES
('$name','$email','$comment')

I thought that since single quotes are escaped by PHP magic quotes it
would be impossible to "break into" my sql syntax with a comment like:

$comment = "my nasty comment)' DROP TableName"

which *should* result in a harmless sql syntax of:

INSERT INTO TableName (name,email,comment) VALUES 
('name','email','my nasty comment)\' DROP TableName')

Am I missing something here? Any other security tips/urls?


Simon





More information about the thelist mailing list