In article <33c6269f0510241144s680be862pfdc0c59dcba06eee@xxxxxxxxxxxxxx>, Alex Turner <armtuk@xxxxxxxxx> writes: > 1. ( ) text/plain (*) text/html > As sort of a side discussion - I have postulated that quoting all incomming > numbers as string would be an effective defense against SQL Injection style > attacks, as magic quotes would destory any end-quote type syntax: > in_value=1 > select * from table where my_id='$in_value'; > as an example for PHP - Postgres will silenty perform an atoi on the string to > make it a number, but it would prevent: > in_value=1; delete * from user; > select * from table where my_id=$in_value > Am I just smoking crack here, or does this approach have some merit? The former :-) The correct defense against SQL injection is proper escaping, not quoting. How about $in_value = '1''; delete * from user'? ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
