[nycphp-talk] More confused now then before by PHP security!
Dan Cech
dcech at phpwerx.net
Sun Jan 22 08:32:15 EST 2006
IMHO Chris wasn't as explicit as he could have been with regards to the
conclusion of the article, but basically the point is something like this:
When constructing SQL, any input should be properly escaped taking into
account the character set of the connection. The
mysql_real_escape_string() function is designed to do exactly this. If
you do not take this into account you are vulnerable to hacks of the
type described in the article.
If you are using a database abstraction layer such as PEAR::DB or adodb
you also have the option of using their variable binding in your
queries, which will perform this transparently.
In this case the query would look something like:
$sql = 'SELECT *
FROM users
WHERE username = ?
AND password = ?';
$args = array(
$mysql['username'],
$mysql['password'],
);
$result = $db->query($sql,$args);
This is the method I usually use as it clearly separates the data from
the query and makes it almost impossible to miss quoting something,
making your code simpler and more secure at the expense of a little
overhead.
There are quite a few other arguments against using addslashes, some of
which are outlined in the phundamentals article here:
http://www.nyphp.org/phundamentals/storingretrieving.php
Dan
edward potter wrote:
> Based on this article, how do you write secure PHP code, the author
> seems to claim that there is no 100% way? A bit confusing. What can I
> do to totally prevent an sql hack attack?
>
> http://shiflett.org/archive/184
> The addslashes() Versus mysql_real_escape_string() Debate
More information about the talk
mailing list