begin quoting Tracy R Reed as of Thu, Aug 23, 2007 at 01:31:55AM -0700: > We had some recent SQL injection attacks at my company and upon review > it seems that we have many thousands of lines of PHP (gross, I know) > code that are vulnerable due to unvalidated user input being passed > straight to the db. So I am doing some research and putting together > some suggestions for safer coding standards in how we talk to the db. > > The first thing everyone says is that you should escape special chars > from the user input data. But that is a pain and somewhat error prone. > It is easy to miss escaping something.
Don't be clever, then, be clear instead. The input set should be finite (127 symbols, or maybe 255. Unless you have to put up with unicode, in which case, I suggest UTF7). You should be able to write down, longhand, what characters are allowed, disallowed, or need to be escaped. John's approach (downthread) falls out of this -- these are the allowed characters, all others are disallowed -- but if you need to allow for, say, quotes, then you'll need to establish some way of escaping 'em. > Then I thought about prepared statements and parameterized queries. I > *think* these are the same thing really, but I'm not sure. Does anyone know? Often they're used as synonyms, but I think that depends on the language. I don't don't how the PHP community uses it. As I understand it, a prepared statement is one that's sent to the database and is compiled; it can be parameterized or not. Since it's compiled, you can't use it for an SQL injection attack -- any parameters are treated as-is. > We will be wanting to implement this in PHP5. It seems like the only way > to get prepared statements with PHP5 is to use the PDO module. I would suggest looking into that. > Anyone know of a better way to do this? I did some PHP between 1998 and > 2000 and haven't touched it since so I am way out of date on PHP. You and me both. -- Think of it as a state machine. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
