True, but the question was about MySQL.
However this is the factor you have to consider before you start implementing
you application - should it run on more than one database server?
If NOT, then do not worry or if it takes 3 minutes to rewrite stuff do not
worry either.
If YES then you should (as you probably do) use some sort of a wrapper to
database (usually called "Database abstraction layer" or "Database class"),
which should provide correct and consistent string escaping function to your
application. Then the simple use would be:
$string = $db->str_escape($string);
In MySQL wrapper class it should be implemented as
function str_escape ($string)
{
return mysql_real_escape_string($string);
}
In PgSQL wrapper:
function str_escape ($string)
{
return pg_escape_string($string);
}
If you use this approach throughout your code then it shouldn't be more
difficult to switch the database server that to switch the "database class
file" (assuming you do not use database-server-in-use specific features which
are not ANSI compliant)
Mind that if you get your data from forms you should check if it is already
"slashed" - you should strip slashes if you do you escaping manually.
if (get_magic_quotes_gpc() == 1) {
$string = stripslashes($string);
}
regards,
Bostjan
On Wednesday 11 May 2005 21:20, [EMAIL PROTECTED] wrote:
> Don't forget your native database escaping function. PHP has this one for
> MySQL, for example:
>
> mysql_real_escape_string()
>
> That should properly escape everything that could be used against MySQL to
> perform an injection.
>
> There should be some equivalent commend in the various database connection
> routines and abstraction layers. Takes some of the work out of trying to
> properly escape everything manually.
>
> -TG
>
> = = = Original message = = =
>
> it depends
>
> by having register_globals set to on (server config) it is usually easier
> to create sql-injection exploit, but it is not required. What is true is
> that well written script will defend/sustain such attacks regardles how
> server is configured (unless configuration is really f*cked up).
>
> Prevention is simply trying to follow few simple rules:
>
> 1. SQL statemens that have no PHP variables are NOT vulnerable:
> $sql = 'SELECT value FROM values WHERE key = 123';
> $db->query($sql);
> (nothing vulnerable here)
>
>
>
> 2. If you do not check what you are putting into SQL statements via
> ~PHP variables - add slashes and put it in quotes:
> ($key = 123;) - you get this from some kind of form or URI
>
> $key_as = addslashes($key); // you should check if slashes were already
> added by php (magic_quotes) $sql = "SELECT value FROM values WHERE key =
> '$key'";
> $db->query($sql);
>
>
>
> 3. If you do not put your variable into quotes - check it!
> if (!preg_match('/^[0-9]+/', $key))
> ~echo "Hack attempt!"; exit;
>
> $sql = "SELECT value FROM values WHERE key = $key";
> $db->query($sql);
>
> (if you will not check it anything can get into your sql statement)
>
>
> 4. All the above assumes you have already assessed potential remote file
> inclusion vulnerabilities.
>
>
> Regards,
> Bostjan
>
> On Wednesday 11 May 2005 14:15, [EMAIL PROTECTED] wrote:
> > I have a site and the other days i received a message from a guy that
> > told me my site is vulnerable to mysql injections. I do not know how can
> > i prevent this. The server is not configured or it's all about the
> > script?
> >
> >
> > ----- Original Message -----
> > From: "Bostjan Skufca @ domenca.com" <[EMAIL PROTECTED]>
> > To: <php-general@lists.php.net>
> > Sent: Wednesday, May 11, 2005 1:50 PM
> > Subject: Re: [PHP] MySql injections....
> >
> > > Probably you mean about "prevening mysql injections" - or not? :)
> > >
> > > Bostjan
> > >
> > > On Wednesday 11 May 2005 11:38, [EMAIL PROTECTED] wrote:
> > >> Hi,
> > >> This is not the proper list to put this question but i hope you can
> > >> help me. Does anyone know a good tutorial about mysql injections?
> > >>
> > >> Thanks a lot for your help
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> ___________________________________________________________
> Sent by ePrompter, the premier email notification software.
> Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
