Jump to content


Photo

SQL injection protection


  • Please log in to reply
4 replies to this topic

#1 OLD James

OLD James
  • Members
  • Pip
  • Newbie
  • 2 posts

Posted 24 July 2006 - 06:14 PM

I'm writing a small bulletin board system for a pre-existing code base. Im to use a pre-existing uthentication class. this class uses URLEncode() on the user name to avoid any malicious code being injected. Is URLEncode sufficient in this case? Is there a way that a malicious user could still perform an exploit in the user field to gain un-authenticated access?
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.

Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.

Thanks boys and girls.

#2 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 24 July 2006 - 06:25 PM

Use the function mysql_real_escape_string() (http://www.php.net/m...l_escape_string) on any text that is being inserted into the DB.

Ken

#3 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 24 July 2006 - 06:38 PM

Also think of using strip tags or addslashes, html entities, trim, etc.

#4 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 24 July 2006 - 06:39 PM

You don't need addslashes() if you use mysql_real_escape_string(). The mysql_real_escape_string() will do everything addslashes does and more.

Ken

#5 OLD James

OLD James
  • Members
  • Pip
  • Newbie
  • 2 posts

Posted 24 July 2006 - 07:03 PM

hanks fro the quick feed back.
As I said I can't really change the pre-existing code for the authentication class. Thats not really my job nor do i have permission to. I do have to secure my portion of code to the best of my ability.
I agree that mysql_real_escape_string() should be used, but just as a best practice. In order to get the developer to change the current implementation of the authentication class. I need to expalin why URLEncode isn't sufficient, but alas I'm not really sure why its not....? I tried passing in the few general SQL commands i know of and it seems to stop them. so what else is there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users