[thelist] Web Database Security (was: how did they hack...)

Bart Posselt BPOSSELT at dineout.org
Thu Apr 19 11:12:36 CDT 2001


Have you looked at server-side regular expressions? I'm not familiar with PHP, but this might help (it's for ASP): http://dynamic.15seconds.com/Issue/page.asp?Page_Id=306 

Bart

>>> ppxsjc1 at unix.ccc.nottingham.ac.uk 04/19/01 11:52AM >>>

> http://www.webreview.com/2001/04_13/developers/index02.shtml 

That's a good article, but it did leave me with one question:

I can understand how you can validate some fields to prevent malicious
attacks (such as checking IDs are integers), but what do you do about text
fields?

At present I use sql like this in my PHP/MySQL applications:

INSERT INTO TableName (name,email,comment) VALUES
('$name','$email','$comment')

I thought that since single quotes are escaped by PHP magic quotes it
would be impossible to "break into" my sql syntax with a comment like:

$comment = "my nasty comment)' DROP TableName"

which *should* result in a harmless sql syntax of:

INSERT INTO TableName (name,email,comment) VALUES 
('name','email','my nasty comment)\' DROP TableName')

Am I missing something here? Any other security tips/urls?


Simon


---------------------------------------
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt ! 





More information about the thelist mailing list