NYCPHP Meetup

NYPHP.org

[nycphp-talk] More confused now then before by PHP security!

Dan Cech dcech at phpwerx.net
Sun Jan 22 08:32:15 EST 2006


IMHO Chris wasn't as explicit as he could have been with regards to the 
conclusion of the article, but basically the point is something like this:

When constructing SQL, any input should be properly escaped taking into 
account the character set of the connection.  The 
mysql_real_escape_string() function is designed to do exactly this.  If 
you do not take this into account you are vulnerable to hacks of the 
type described in the article.

If you are using a database abstraction layer such as PEAR::DB or adodb 
you also have the option of using their variable binding in your 
queries, which will perform this transparently.

In this case the query would look something like:

$sql = 'SELECT *
         FROM   users
         WHERE  username = ?
         AND    password = ?';

$args = array(
     $mysql['username'],
     $mysql['password'],
);

$result = $db->query($sql,$args);

This is the method I usually use as it clearly separates the data from 
the query and makes it almost impossible to miss quoting something, 
making your code simpler and more secure at the expense of a little 
overhead.

There are quite a few other arguments against using addslashes, some of 
which are outlined in the phundamentals article here:

http://www.nyphp.org/phundamentals/storingretrieving.php

Dan

edward potter wrote:
> Based on this article, how do you write secure PHP code, the author
> seems to claim that there is no 100% way?  A bit confusing. What can I
> do to totally prevent an sql hack attack?
> 
> http://shiflett.org/archive/184
> The addslashes() Versus mysql_real_escape_string() Debate



More information about the talk mailing list