List:General Discussion« Previous MessageNext Message »
From:Matt Chatterley Date:March 19 2004 7:04pm
Subject:RE: Guru's advice needed ........[Security: SQL injection]
View as plain text  
This reply has two purposes.

Firstly, a small suggestion (modest compared to the others which will
follow, no doubt!) - check out mysql_escape_string() - this may be useful to

Secondly, a further question:

In addition to protecting against SQL Injection, has anyone here
experimented with detecting and recording attempts at injection?

I've been pondering checking strings which come directly from user input for
sql keywords (and possibly using regexps to check for potential SQL Syntax
fragments), but before I begin, I thought asking would benefit me, if
someone with more experience has already tried this...



-----Original Message-----
From: Tariq Murtaza [mailto:tariq@stripped] 
Sent: 19 March 2004 18:41
To: php-general@stripped; mysql@stripped
Subject: Guru's advice needed ........[Security: SQL injection]

*Dear Friends!*

Can someone shed some light  on how "SQL injection" attack occurs when 
*magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my 
understanding  apostrophise are escaped automatically in POST/GET/COOKIE 
when its ON, so how it tends towards SQL Injection.

Someone suggested to keep magic_quotes_qpc OFF through .htaccess file 
and use following line of codes to prevent attacks at start of the file...

 * Checks for magic_quotes_gpc = On and strips them from incoming
 * requests if necessary
if (get_magic_quotes_gpc()) {
  $_GET    = array_map('stripslashes', $_GET);
  $_POST   = array_map('stripslashes', $_POST);
  $_COOKIE = array_map('stripslashes', $_COOKIE);

But unfortunately it does not work for nested POST requests. do anyone 
have better idea?
Secondly why we have to stripslashes while DB (mysql for example) is 
doing it for us on execution and another question arises doesn't it 
prevent from SQL injection attack when apostrophise are escaped in query.

*What is the best practices handling 'quotation marks'  in input string 
and how to prevent SQL injection.

*Looking forward for some advice from panel of experts on forum.
Thanks and have a nice day!*


Guru's advice needed ........[Security: SQL injection]Tariq Murtaza19 Mar
  • Re: Guru's advice needed ........[Security: SQL injection]Jigal van Hemert19 Mar
  • Re: Guru's advice needed ........[Security: SQL injection]Martijn Tonies19 Mar
  • RE: Guru's advice needed ........[Security: SQL injection]Matt Chatterley19 Mar