Re: Useful info for developers (XSS & SQL Injection)

Posted by skenow on 1207408033
I see we've been reading some of the same documents

I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though.

Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states

Quote:

A cast forces PHP to perform a type conversion. If the input is not entirely numeric, only the leading numeric portion is used. If the input doesn’t start with a numeric value or if the input is
only alphabetic and punctuation characters, the result of the cast is 0. On the other hand, if the cast is successful, the input is a valid numeric value and no further escaping is needed. Numeric casting is not only very effective, it’s also efficient, since a cast is a very fast, function-free operation that also obviates the need to call an escape routine.



sprintf() accomplishes the same thing.

Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go -

$db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text);

with at least 1 parameter required.

Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing.

This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=1348&post_id=13513