SQL Injection immunity on Ubuntu
Kees Cook
kees at ubuntu.com
Wed May 7 16:33:39 UTC 2008
Hi Dax,
On Wed, May 07, 2008 at 03:11:09PM +0800, Dax Solomon Umaming wrote:
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?
I echo everyone else's comments on this topic, and only add that I would
recommend using a database interface that provides proper "Binding".
Instead of the old "mysql", please consider switching to "mysqli"[1]
(or ADOdb[3]). This would totally side-step the need for doing manual
string escapes, and lets the database take care of it directly. This
tends to be much less code to write, makes it harder to make mistakes,
etc. Instead of building up a long string including parameters that
may need to be escaped, build up the query string with place-holders,
and add the parameters as function arguments. Example lifted from the
mysqli bind-param docs[2]:
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);
$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;
/* execute prepared statement */
$stmt->execute();
I hope that helps!
-Kees
[1] http://us3.php.net/manual/en/book.mysqli.php
[2] http://us3.php.net/manual/en/mysqli-stmt.bind-param.php
[3] http://phplens.com/lens/adodb/tips_portable_sql.htm (see "Binding")
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-server
mailing list