On Friday 17 March 2006 15:10, Kevin Davies - Bonhurst Consulting wrote: > I just picked up this thread, so excuse me if I'm repeating or have totally > missed the point. > > Another concern I picked up from a PHP security book is using '--' - which > simply comments out the remainder of the line (with MySQL anyway). > Therefore if your SQL is "SELECT * FROM table WHERE user = '$user' AND pass > = '$pass'" a malicious visitor could enter a valid username followed by '-- > which may allow them entry to that person's account by creating the > following: > > SELECT * FROM table WHERE user = 'valid_user'--' AND pass = '$pass' A benefit to using something like PEAR::DB is access to the quotesmart() function, which quotes the input for you. Your query can then look like SELECT * FROM table WHERE user=$q_user AND pass=$q_pass q_user and q_pass are derived from form input which is passed to quotesmart(). Even if funky characters like ' and -- are included, the quoting should help prevent injection. Validating input helps, but some input literally can be most characters under the sun. It's easier to defend the entire system with some general purpose protections than try to guess every attack (imo). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
