[nycphp-talk] php in securityfocus 218
Analysis & Solutions
danielc at analysisandsolutions.com
Tue Oct 14 09:26:44 EDT 2003
Hi Chris:
On Tue, Oct 14, 2003 at 08:47:29AM -0400, Chris Snyder wrote:
> $email = $_GET['email'];
> $safeemail = addslashes($email);
> $query = "SELECT * FROM supplicants WHERE email='$safeemail' ";
>
> Is this safe, or is my site at the mercy of a clever SQL injector?
For the most part.
To avoid all potential problems, it's a good idea to check that the data
matches your expected format. For instance, if it's supposed to be a
small integer, make sure it only contains numbers and is less that five
characters long. This example prevents errors from overflowing and trying
to put in non numeric characters.
Under this regimen, addslashes() is only needed for strings that are
allowed to contain SQL related characters. So, you wouldn't need
addslashes(), say, for input you validated to either be a "Y" or an "N."
Also, the step of converting $_GET['email'] to $email is superfluous.
You could save some time and memory by putting $_GET['email'] in the
addslashes() call.
Enjoy,
--Dan
--
FREE scripts that make web and database programming easier
http://www.analysisandsolutions.com/software/
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list