Jump to content

SQL injection protection


OLD James

Recommended Posts

I'm writing a small bulletin board system for a pre-existing code base. Im to use a pre-existing uthentication class. this class uses URLEncode() on the user name to avoid any malicious code being injected. Is URLEncode sufficient in this case? Is there a way that a malicious user could still perform an exploit in the user field to gain un-authenticated access?
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.

Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.

Thanks boys and girls.
Link to comment
Share on other sites

hanks fro the quick feed back.
As I said I can't really change the pre-existing code for the authentication class. Thats not really my job nor do i have permission to. I do have to secure my portion of code to the best of my ability.
I agree that mysql_real_escape_string() should be used, but just as a best practice. In order to get the developer to change the current implementation of the authentication class. I need to expalin why URLEncode isn't sufficient, but alas I'm not really sure why its not....? I tried passing in the few general SQL commands i know of and it seems to stop them. so what else is there?
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.