Page 1 of 1

Protection :: Injection Attacks

Posted: Wed Dec 04, 2002 10:55 am
by Zoram
Does anyone know some tips on stopping injection attacks?
Thanks!

I have a stupid question.

Posted: Wed Dec 04, 2002 10:57 am
by Genteel Beaux
What are injection attacks?

good point

Posted: Wed Dec 04, 2002 3:52 pm
by AVATAr
Good point,... y use to validate the forms values before i make my sql statements. (use global off, y check length, use ''...)

some articles:

http://www.owasp.org/asac/input_validation/sql.shtml
http://www.devarticles.com/art/1/138

:wink:

Posted: Wed Dec 04, 2002 5:40 pm
by volka
I use numerical values as often as possible for querries and let php perform an explicit typecast on those values

Code: Select all

$query = 'SELECT field1 FROM table1 WHERE id='.((int)$_POST['id']);
Let mysql_escape_string handle all other user-values.

Posted: Wed Dec 04, 2002 6:13 pm
by Zoram
What about when you have to use strings?
could you run it through some function so that it wouldn't get read by MySQL?

Posted: Wed Dec 04, 2002 6:28 pm
by volka
volka wrote:Let mysql_escape_string handle all other user-values.
;)