NYCPHP Meetup

NYPHP.org

[nycphp-talk] php in securityfocus 218

Analysis & Solutions danielc at analysisandsolutions.com
Tue Oct 14 09:26:44 EDT 2003


Hi Chris:

On Tue, Oct 14, 2003 at 08:47:29AM -0400, Chris Snyder wrote:

> $email = $_GET['email'];
> $safeemail = addslashes($email);
> $query = "SELECT * FROM supplicants WHERE email='$safeemail' ";
> 
> Is this safe, or is my site at the mercy of a clever SQL injector?

For the most part.

To avoid all potential problems, it's a good idea to check that the data
matches your expected format.  For instance, if it's supposed to be a
small integer, make sure it only contains numbers and is less that five 
characters long.  This example prevents errors from overflowing and trying 
to put in non numeric characters.

Under this regimen, addslashes() is only needed for strings that are
allowed to contain SQL related characters.  So, you wouldn't need
addslashes(), say, for input you validated to either be a "Y" or an "N."

Also, the step of converting $_GET['email'] to $email is superfluous.  
You could save some time and memory by putting $_GET['email'] in the
addslashes()  call.

Enjoy,

--Dan

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409



More information about the talk mailing list