[thelist] Re: Avoiding SQL Injection

[Ken Schaefer]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Brooking, John
: Subject: [thelist] Re: Avoiding SQL Injection
: 
: I do believe you may be right, because the fact that 
: I'm storing it in a string column means that
: a SQL attack string is going to have a close the quote 
: that I opened in my code in order to get the rest of 
: his nefarious scheme to parse correctly. So by definition, 
: it has at least one single quote, so escaping all single
: quotes will prevent any other potential special characters, 
: such as semi-colons, from being evaluated as anything 
: other than characters inside a string. I hadn't 
: thought that through before!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am preparing a response to Joshua's previous post. However, as I mentioned,
a system of simply escaping single quotes when inserting data from your users
is *not* sufficient for preventing every time of malicious attack against
your application. 

This is not a simple topic - advanced SQL Injection attacks are not trivial,
and so presenting something concise that also sufficiently demonstrates the
point isn't a quick-n-easy post for me (especially since it's not an area I
deal with day-in and day-out, and so I don't have anything pre-canned I can
send to the list)

Use prepared statements. JDBC has stuff for this. ADO has stuff for this.
ADO.NET as well. I don't know what PHP uses to connect to mySQL, but
magic_quotes and is_int are not sufficient safeguards against every time to
attack if you are building SQL inline in your PHP code.

Cheers
Ken

--
www.adOpenStatic.com/cs/blogs/ken/