SQL injection protection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
OldJames
Forum Newbie
Posts: 1
Joined: Mon Jul 24, 2006 2:09 pm

SQL injection protection

Post by OldJames »

I'm writing a small bulletin board system for a pre-existing code base. Im to use a pre-existing uthentication class. this class uses URLEncode() on the user name to avoid any malicious code being injected. Is URLEncode sufficient in this case? Is there a way that a malicious user could still perform an exploit in the user field to gain un-authenticated access?
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.

Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.

Thanks boys and girls.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

We've talked about injection in many threads on this board. Have a read through them. You may find some nice solutions and answers to your questions. :)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Key terms: sql injection and and xss injection
Post Reply