[nycphp-talk] php in securityfocus 218
Chris Shiflett
shiflett at php.net
Tue Oct 14 11:11:50 EDT 2003
--- Chris Snyder <csnyder at chxo.com> wrote:
> In an attempt, um, to redeem this message, what *is* an SQL
> Injection Vulnerability? Is the religious use of addslashes() on
> any request variables used in a database query enough to prevent
> it?
>
> For example:
>
> $email = $_GET['email'];
> $safeemail = addslashes($email);
> $query = "SELECT * FROM supplicants WHERE email='$safeemail'";
>
> Is this safe, or is my site at the mercy of a clever SQL injector?
Tell me the URL, and you'll find out. ;-)
Just kidding.
I'm not the most creative guy out there, which is why I don't bother trying to
outguess what people will try. I can't think of a specific attack that will
bypass your filtering offhand, but that doesn't mean someone else can't. In
fact, I would characterize this code as a security vulnerability (assuming
addslashes is the only data filtering) even though I can't think of a specific
example to exploit it.
What I can do is tell you that it is practically assured that no valid email
address can be used as an SQL injection attack, so if your data filtering
validates the format you are expecting, this is much safer than only using
addslashes.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
More information about the talk
mailing list