[thelist] Web Database Security (was: how did they hack...)
Simon Coggins
ppxsjc1 at unix.ccc.nottingham.ac.uk
Thu Apr 19 10:51:16 CDT 2001
> http://www.webreview.com/2001/04_13/developers/index02.shtml
That's a good article, but it did leave me with one question:
I can understand how you can validate some fields to prevent malicious
attacks (such as checking IDs are integers), but what do you do about text
fields?
At present I use sql like this in my PHP/MySQL applications:
INSERT INTO TableName (name,email,comment) VALUES
('$name','$email','$comment')
I thought that since single quotes are escaped by PHP magic quotes it
would be impossible to "break into" my sql syntax with a comment like:
$comment = "my nasty comment)' DROP TableName"
which *should* result in a harmless sql syntax of:
INSERT INTO TableName (name,email,comment) VALUES
('name','email','my nasty comment)\' DROP TableName')
Am I missing something here? Any other security tips/urls?
Simon
More information about the thelist
mailing list