|
|
Question Concerning SQL Injection
|
|
|
|
Grizzled Veteran
Join Date: Aug 2002
Location: Cardboard Box
Status:
Offline
|
|
I've posted a couple other newbie questions about MySQL and PHP. For those who shook their heads and answered anyway (Chuckit and Besson3c), thank you. I have another after reading "Learning PHP and MySQL". I understand what SQL Injections are, and the book wisely warns me about them. But it also reads as if MySQL and PHP work together to virtually negate any risk.
PHP and MySQL work together to thwart this kind of attack. What happens is the MySQL query command allows only one statement per query. So attempting to start a new query after the first one has already been started generates an error. Additionally, PHP uses a system by default called magic quotes with user input. Magic quotes automatically escape any special characters with a backslash (\), including single and double quotes.
So is there anything else I need to do security-wise here? (btw, I embedded phpAuthent in my app, so there is that security benefit, as well.)
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2001
Location: Salt Lake City, UT USA
Status:
Offline
|
|
You have to make sure Magic Quotes are turned on, but that's about it.
|
2008 iMac 3.06 Ghz, 2GB Memory, GeForce 8800, 500GB HD, SuperDrive
8gb iPhone on Tmobile
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
I wouldn't rely on magic quotes. They cause all sorts of annoyance with slashes showing up everywhere, they don't protect from injection as well as actually validating and escaping input yourself, and they're going to be taken out in the next version of PHP.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2001
Location: CO
Status:
Offline
|
|
I spent years playing around with PHP / MySQL, but since I'm getting serious, I find that Chris Snyder's "Pro PHP Security" is ESSENTIAL reading. And very well written. A lot of server-issue chapters can probably be skipped (expecting your hosting company to be well-versed), but the protection (testing/filtering) of GET or POST -inputted data from forms is quite thoroughly and understandably covered.
There's a BUNCH to learn about injection, etc, and JUST SAYING NO to Magic Quotes is one of the first.
|
TOMBSTONE: "He's trashed his last preferences"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|