List:General Discussion« Previous MessageNext Message »
From:Jigal van Hemert Date:March 19 2004 8:35am
Subject:Re: Guru's advice needed ........[Security: SQL injection]
View as plain text  
From: "Tariq Murtaza" <tariq@stripped>

> Can someone shed some light  on how "SQL injection" attack occurs when
> *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my
> understanding  apostrophise are escaped automatically in POST/GET/COOKIE
> when its ON, so how it tends towards SQL Injection.

magic_quotes_gpc ON is supposed to do an addslashes automatically for all
get, post and cookie data.

> *What is the best practices handling 'quotation marks'  in input string
> and how to prevent SQL injection.

The best way to prevent SQL injection is to check user input yourself.
Never, ever trust any data from an external source.

Check numerical data: make sure it's numerical and within the range you
defined.
Check string data: make sure it contains the characters you support and
filter out any other characters, make sure it meets the other requirements
you defined (size, etc.). If necessary modify the data or reject it
completely.

I never use user input to include a script just like that, but always verify
it first to make sure it's in the list of scripts that can be included...

If you want to supply "free text search" than you can easily filter out a
list of punctuation characters that are not supported by the free text
search you implemented. If you filter out enough it will render an SQL query
that was posted to your script invalid, and effectively prevent an SQL
injection attack.

Happy coding! Jigal.


Thread
Guru's advice needed ........[Security: SQL injection]Tariq Murtaza19 Mar
  • Re: Guru's advice needed ........[Security: SQL injection]Jigal van Hemert19 Mar
  • Re: Guru's advice needed ........[Security: SQL injection]Martijn Tonies19 Mar
  • RE: Guru's advice needed ........[Security: SQL injection]Matt Chatterley19 Mar