The state of PHP security
Posted Dec 22, 2006 2:48 UTC (Fri) by denials
In reply to: The state of PHP security
Parent article: The state of PHP security
I still think the solution to SQL access is to remove support
for using strings as SQL statements, and instead have a "SQL statement"
type, with functions to append statement text (with it being an error to
include any single quotes in this) and to append constants.
Every programming language uses strings for SQL statements. You can
concatenate those strings and make mistakes in every language. The root of
this particular problem, IMHO, goes back to MySQL's inability (until
recently) to support placeholders. MySQL, you will recall, was the
database most often paired up with PHP to enable beginning programmers to
create dynamic Web applications. MySQL's lack of placeholders necessitated
the interpolation of variables directly into SQL statements, or the
concatenation of variables with SQL statement strings, in an unsafe
manner. Top that off with the "user-friendly" but lax treatment of things
like allowing you to quote-delimit integers (not legal in strict SQL) and
you have a recipe for SQL injection attacks.
As an aside: single quotes are actually legal in SQL (usually escaped
as ''), so making it an error would be even more foolish than creating
an "SQL statement" type. SQL statements, like it or not, are made of
to post comments)