Reply New Topic
2008/3/24 14:48:47
#1
Offline
Home away from home

Useful info for developers (XSS & SQL Injection)

I've put together a few of the documents I've been reading over the last month or so.

they are documents that are useful in understanding and preventing SQL Injection & XSS.

thought i'd share them with you as they have helped me understand a lot more.

you can download them from my new site (still under construction)

http://www.g7poo.co.uk/modules/wfdownloads/viewcat.php?cid=3

_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

2008/3/24 15:00:04
#2
Offline
Home away from home

Re: Useful info for developers (XSS & SQL Injection)

Many thanks - this will certainly be useful.

Is this information possible to add to the new downloads site as well?


2008/3/24 17:23:08
#3
Offline
Home away from home

Re: Useful info for developers (XSS & SQL Injection)

Really, impressive Vaughan, THANKS
These documents are coming at a great time.

1/2 off-topic: There is a way to export those files to PDF documents to style world editor?.

_________________
Giba

2008/4/5 8:07:13
#4
Offline
Home away from home

Re: Useful info for developers (XSS & SQL Injection)

I see we've been reading some of the same documents

I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though.

Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states

Quote:

A cast forces PHP to perform a type conversion. If the input is not entirely numeric, only the leading numeric portion is used. If the input doesn’t start with a numeric value or if the input is
only alphabetic and punctuation characters, the result of the cast is 0. On the other hand, if the cast is successful, the input is a valid numeric value and no further escaping is needed. Numeric casting is not only very effective, it’s also efficient, since a cast is a very fast, function-free operation that also obviates the need to call an escape routine.



sprintf() accomplishes the same thing.

Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go -

$db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text);

with at least 1 parameter required.

Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing.

_________________
Christian Web Resources
Facebook

Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.