Protection :: Injection Attacks

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Zoram
Forum Contributor
Posts: 166
Joined: Sun Aug 18, 2002 3:28 pm
Location: Utah
Contact:

Protection :: Injection Attacks

Post by Zoram »

Does anyone know some tips on stopping injection attacks?
Thanks!
Genteel Beaux
Forum Commoner
Posts: 28
Joined: Wed Nov 13, 2002 4:07 pm
Location: Alabama

I have a stupid question.

Post by Genteel Beaux »

What are injection attacks?
User avatar
AVATAr
Forum Regular
Posts: 524
Joined: Tue Jul 16, 2002 4:19 pm
Location: Uruguay -- Montevideo
Contact:

good point

Post by AVATAr »

Good point,... y use to validate the forms values before i make my sql statements. (use global off, y check length, use ''...)

some articles:

http://www.owasp.org/asac/input_validation/sql.shtml
http://www.devarticles.com/art/1/138

:wink:
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I use numerical values as often as possible for querries and let php perform an explicit typecast on those values

Code: Select all

$query = 'SELECT field1 FROM table1 WHERE id='.((int)$_POST['id']);
Let mysql_escape_string handle all other user-values.
User avatar
Zoram
Forum Contributor
Posts: 166
Joined: Sun Aug 18, 2002 3:28 pm
Location: Utah
Contact:

Post by Zoram »

What about when you have to use strings?
could you run it through some function so that it wouldn't get read by MySQL?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

volka wrote:Let mysql_escape_string handle all other user-values.
;)
Post Reply