Hello all -
I'm looking at web pages describeing how to prevent SQL injections
with PHP. All of them metion mysql_real_escape_string. However, I
recall mention of sprintf at some time in the past.
Is mysql_real_escape_string sufficient to prevent injections, or
should $_POST or $_GET data also be checked with sprintf ?
lawpoop@gmail.com wrote:
> Hello all -
>
> I'm looking at web pages describeing how to prevent SQL injections
> with PHP. All of them metion mysql_real_escape_string. However, I
> recall mention of sprintf at some time in the past.
>
> Is mysql_real_escape_string sufficient to prevent injections, or
> should $_POST or $_GET data also be checked with sprintf ?
>
sprintf() doesn't check strings for sql injection. It merely formats
data into a string.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
lawpoop@gmail.com schreef:
> Hello all -
>
> I'm looking at web pages describeing how to prevent SQL injections
> with PHP. All of them metion mysql_real_escape_string. However, I
> recall mention of sprintf at some time in the past.
>
> Is mysql_real_escape_string sufficient to prevent injections, or
> should $_POST or $_GET data also be checked with sprintf ?
Hi,
mysql_real_escape_string is enough to prevent SQL injection.
(Or use prepared statements.)
I am not sure if sprintf() is the right way to avoid injection, but
without an example, I cannot tell. ;-)
Regards,
Erwin Moller
..oO(lawpoop@gmail.com)
>I'm looking at web pages describeing how to prevent SQL injections
>with PHP. All of them metion mysql_real_escape_string. However, I
>recall mention of sprintf at some time in the past.
>
>Is mysql_real_escape_string sufficient to prevent injections, or
>should $_POST or $_GET data also be checked with sprintf ?
mysql_real_escape_string() or prepared statements (PDO) are the way to
go to prevent SQL inhection. sprintf() has nothing to do with databases
and doesn't escape anything, but of course it can be really useful to
create complex queries or other strings.
Micha
On Apr 14, 11:29 am, Erwin Moller
> I am not sure if sprintf() is the right way to avoid injection, but
> without an example, I cannot tell. ;-)
Well, IIRC, it wasn't specifically for SQL injection, but rather for
any sort of malformed data.
Something like
$sql = sprintf( "INSERT INTO table ( field1, field2 ) VALUES ( '%s',
%d )", $_POST['string'], $_POST['number'] );
lawpoop@gmail.com schreef:
> On Apr 14, 11:29 am, Erwin Moller
>
>
>> I am not sure if sprintf() is the right way to avoid injection, but
>> without an example, I cannot tell. ;-)
>
>
> Well, IIRC, it wasn't specifically for SQL injection, but rather for
> any sort of malformed data.
>
> Something like
>
> $sql = sprintf( "INSERT INTO table ( field1, field2 ) VALUES ( '%s',
> %d )", $_POST['string'], $_POST['number'] );
>
Hi,
But if $_POST["string"] contains:
bla',2);delete from table;--
you still have SQL injection. :-/
I think.
(Not 100% sure, I seldom need sprintf.)
Regards,
Erwin Moller
On Apr 14, 11:52 am, Erwin Moller
> lawp...@gmail.com schreef:
>
> > On Apr 14, 11:29 am, Erwin Moller
> >
>
> >> I am not sure if sprintf() is the right way to avoid injection, but
> >> without an example, I cannot tell. ;-)
>
> > Well, IIRC, it wasn't specifically for SQL injection, but rather for
> > any sort of malformed data.
>
> > Something like
>
> > $sql = sprintf( "INSERT INTO table ( field1, field2 ) VALUES ( '%s',
> > %d )", $_POST['string'], $_POST['number'] );
>
> Hi,
>
> But if $_POST["string"] contains:
> bla',2);delete from table;--
>
> you still have SQL injection. :-/
> I think.
> (Not 100% sure, I seldom need sprintf.)
>
> Regards,
> Erwin Moller
Right. Maybe SQL injection wasn't the concern it was supposed to
address, but instead a buffer overflow or something like that.
lawpoop@gmail.com wrote:
>
> Right. Maybe SQL injection wasn't the concern it was supposed to
> address, but instead a buffer overflow or something like that.
Or then again, maybe not.
On Apr 14, 5:29 pm, "Paul Lautman"
wrote:
> lawp...@gmail.com wrote:
>
> > Right. Maybe SQL injection wasn't the concern it was supposed to
> > address, but instead a buffer overflow or something like that.
>
> Or then again, maybe not.
Well, you can use it to prevent SQL injection when you are doing type
checking:
$input = "'5'; DELETE FROM table;";
$sql = "UPDATE table SET value = $input WHERE id = 12";
echo $sql . "\n";
?>
UPDATE table SET value = '5'; DELETE FROM table; WHERE id = 12
$input = "''; SELECT * FROM table;";
$sql = sprintf( "UPDATE table SET value = %d WHERE id = 12", $input );
echo $sql . "\n";
?>
UPDATE table SET value = 0 WHERE id = 12
Although, you wouldn't want a 0 value being updated. Much preferrable
is a syntax error where no value is changed.
On Apr 15, 9:28 am, lawp...@gmail.com wrote:
> On Apr 14, 5:29 pm, "Paul Lautman"
> wrote:
>
> > lawp...@gmail.com wrote:
>
> > > Right. Maybe SQL injection wasn't the concern it was supposed to
> > > address, but instead a buffer overflow or something like that.
>
> > Or then again, maybe not.
>
> Well, you can use it to prevent SQL injection when you are doing type
> checking:
>
>
> $input = "'5'; DELETE FROM table;";
>
> $sql = "UPDATE table SET value = $input WHERE id = 12";
>
> echo $sql . "\n";
> ?>
>
> UPDATE table SET value = '5'; DELETE FROM table; WHERE id = 12
>
>
> $input = "''; SELECT * FROM table;";
>
> $sql = sprintf( "UPDATE table SET value = %d WHERE id = 12", $input );
>
> echo $sql . "\n";
> ?>
>
> UPDATE table SET value = 0 WHERE id = 12
>
> Although, you wouldn't want a 0 value being updated. Much preferrable
> is a syntax error where no value is changed.
From the PHP site,
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND
password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>
On Tue, 15 Apr 2008 18:28:08 +0200,
> On Apr 14, 5:29 pm, "Paul Lautman"
> wrote:
>> lawp...@gmail.com wrote:
>>
>> > Right. Maybe SQL injection wasn't the concern it was supposed to
>> > address, but instead a buffer overflow or something like that.
>>
>> Or then again, maybe not.
>
> Well, you can use it to prevent SQL injection when you are doing type
> checking:
Well, only when forcibly converting to numbers.
>
Always use
> Although, you wouldn't want a 0 value being updated. Much preferrable
> is a syntax error where no value is changed.
Indeed, a ctype_* function and possibly informing the user of an illegal
value would be better.
--
Rik Wasmus
On 15 Apr, 16:28, lawp...@gmail.com wrote:
> On Apr 14, 5:29 pm, "Paul Lautman"
> wrote:
>
> > lawp...@gmail.com wrote:
>
> > > Right. Maybe SQL injection wasn't the concern it was supposed to
> > > address, but instead a buffer overflow or something like that.
>
> > Or then again, maybe not.
>
> Well, you can use it to prevent SQL injection when you are doing type
> checking:
I didn't say you couldn't did I?
On 15 Apr, 16:48, Mike Camden
> On Apr 15, 9:28 am, lawp...@gmail.com wrote:
>
>
>
> > On Apr 14, 5:29 pm, "Paul Lautman"
> > wrote:
>
> > > lawp...@gmail.com wrote:
>
> > > > Right. Maybe SQL injection wasn't the concern it was supposed to
> > > > address, but instead a buffer overflow or something like that.
>
> > > Or then again, maybe not.
>
> > Well, you can use it to prevent SQL injection when you are doing type
> > checking:
>
> >
> > $input = "'5'; DELETE FROM table;";
>
> > $sql = "UPDATE table SET value = $input WHERE id = 12";
>
> > echo $sql . "\n";
> > ?>
>
> > UPDATE table SET value = '5'; DELETE FROM table; WHERE id = 12
>
> >
> > $input = "''; SELECT * FROM table;";
>
> > $sql = sprintf( "UPDATE table SET value = %d WHERE id = 12", $input );
>
> > echo $sql . "\n";
> > ?>
>
> > UPDATE table SET value = 0 WHERE id = 12
>
> > Although, you wouldn't want a 0 value being updated. Much preferrable
> > is a syntax error where no value is changed.
>
> From the PHP site,
>
>
> // Connect
> $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
> OR die(mysql_error());
>
> // Query
> $query = sprintf("SELECT * FROM users WHERE user='%s' AND
> password='%s'",
> mysql_real_escape_string($user),
> mysql_real_escape_string($password));
> ?>
What point are you trying to make by posting that extract?