Subject:*
Name/Email:*
Message Icon:*
Message:*
url email imgsrc image php hide code quote
English Nederlands 
SAMPLE
alignleft aligncenter alignright bold italic underline linethrough   


 [more...]
Options:*
 

 

 
     
Re: Useful info for developers (XSS & SQL Injection)

by skenow on 2008/4/5 8:07:13

I see we've been reading some of the same documents

I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though.

Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states

Quote:

A cast forces PHP to perform a type conversion. If the input is not entirely numeric, only the leading numeric portion is used. If the input doesn’t start with a numeric value or if the input is
only alphabetic and punctuation characters, the result of the cast is 0. On the other hand, if the cast is successful, the input is a valid numeric value and no further escaping is needed. Numeric casting is not only very effective, it’s also efficient, since a cast is a very fast, function-free operation that also obviates the need to call an escape routine.



sprintf() accomplishes the same thing.

Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go -

$db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text);

with at least 1 parameter required.

Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing.
Re: Useful info for developers (XSS & SQL Injection)

by GibaPhp on 2008/3/24 17:23:08

Really, impressive Vaughan, THANKS
These documents are coming at a great time.

1/2 off-topic: There is a way to export those files to PDF documents to style world editor?.
Re: Useful info for developers (XSS & SQL Injection)

by davidl2 on 2008/3/24 15:00:04

Many thanks - this will certainly be useful.

Is this information possible to add to the new downloads site as well?
Useful info for developers (XSS & SQL Injection)

by Vaughan on 2008/3/24 14:48:47

I've put together a few of the documents I've been reading over the last month or so.

they are documents that are useful in understanding and preventing SQL Injection & XSS.

thought i'd share them with you as they have helped me understand a lot more.

you can download them from my new site (still under construction)

http://www.g7poo.co.uk/modules/wfdownloads/viewcat.php?cid=3