I've started a thread on the topic some time ago on the php list, after some
extensive reading and testing and these were the main conclusions:
1.1. ALWAYS pass "addslashed" values and always pass them quoted in the SQL
statement. That is "insert into table1 set id='$id'" even if $id is known to
always have numeric values. That's because you may get an $id='; delete
where 1=1'. This specific situation results in an error message in MySQL,
but... better safe than sorry. If you do this, make sure you addslshes($id)
beforehand - otherwise you may get an $id="'; delete where 1=1" and that
would still be potentially dangerous.
An alternative to this would be
1.2. addslashes() to text values and for numeric values just do an
"$id=abs($id)" beforehand - this elimiates text from $id, evaluating it to
an integer/float.

2. Make sure you are extra careful with delete statements. In generic
statements, your main concern should be general security, so that people
can't access data they're not supposed to (that's because, as I said,
passing two SQL statements usually issues an error). In delete statements
however, you may get for your "delete from table1 where id=$id" a $id of the
form "1 or 1=1" which would delete you whole table.

3. OT, but you should be very extra super careful when using exec()

Well, that's about all there is to it (in my opinion anyways). The big
problem is sticking to it and always use these. The problem is even bigger
if you develop for open-source because... You get it...


PS. Only now have I noticed you are using PostgreSQL. Never worked with it
but it seems it's able to accept multiple queries from a single PHP call, so
you should seriously consider points 1.1 and 1.2.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to