SQL injection attacks
Posted Mar 31, 2006 16:56 UTC (Fri) by dps
Parent article: SQL injection attacks
There is a simpler fix, which also stops other attacks too... do proper input validation---if something is suppsesd to be a number, make sure it really is. Numbers like "1 OR 1=1" (without the quotes) can do evil things in contexts expecting numbers. Input validation stops that too.
Using magic_quote_qpc, SQL syntax randomisation, etc are all useful backstops in case you somehow fail to properly validate something. I have my doutbs about the security of stored procedures when fed evil input, unless handling it safely is a primary design goal.
Sadly there is no agreement about parameters in prepared statements. ODBC and MySQL wants ?. Postgresql want $1, $2, etc and oracle accept $<almost anythihg>. (This sort of thing is one of the "joys" of writng multiple database server SQL.)
to post comments)