Comments on: The ins and outs of SQL injection http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/ Just another WordPress weblog Wed, 10 Mar 2010 23:17:36 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Tintin http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-73 Tintin Sun, 08 Mar 2009 07:10:46 +0000 http://thephpblog.com/?p=42#comment-73 About the html entities, can you give samples like the ones above. Thanks. About the html entities, can you give samples like the ones above.

Thanks.

]]> By: hasni http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-70 hasni Sat, 28 Feb 2009 10:22:39 +0000 http://thephpblog.com/?p=42#comment-70 this is wonderful tutorial .. i read it 3 times and get a fantastic results and sure i put a copy of this lesson on my site here http://www.hasni.org this is wonderful tutorial .. i read it 3 times and get a fantastic results and sure i put a
copy of this lesson on my site here

http://www.hasni.org

]]> By: Adje http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-68 Adje Wed, 18 Feb 2009 02:18:28 +0000 http://thephpblog.com/?p=42#comment-68 Great article! In addition to addslashes, I thought I'd suggest some other methods. If you are allowing special characters and the text is going to be posted (e.g. in a comment form) I've found htmlentities() is an excellent function to prevent injection. It'll turn any special character into benign jumble to SQL and when posted will display as it was entered. Just a suggestion! Great article! In addition to addslashes, I thought I’d suggest some other methods. If you are allowing special characters and the text is going to be posted (e.g. in a comment form) I’ve found htmlentities() is an excellent function to prevent injection. It’ll turn any special character into benign jumble to SQL and when posted will display as it was entered. Just a suggestion!

]]> By: jason kenny http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-37 jason kenny Sat, 17 Jan 2009 07:40:10 +0000 http://thephpblog.com/?p=42#comment-37 Nice writing. You are on my RSS reader now so I can read more from you down the road. Nice writing. You are on my RSS reader now so I can read more from you down the road.

]]> By: b7ral7nen http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-17 b7ral7nen Thu, 11 Dec 2008 00:05:13 +0000 http://thephpblog.com/?p=42#comment-17 this is wonderful tutorial .. i read it 3 times and get a fantastic results and sure i put a copy of this lesson on my site this is wonderful tutorial .. i read it 3 times and get a fantastic results and sure i put a
copy of this lesson on my site

]]> By: comman http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-15 comman Wed, 10 Dec 2008 08:13:03 +0000 http://thephpblog.com/?p=42#comment-15 very nice its lesson very well explained! thank you very mach very nice its lesson
very well explained!
thank you very mach

]]> By: Frida http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-13 Frida Mon, 08 Dec 2008 15:44:18 +0000 http://thephpblog.com/?p=42#comment-13 You can use bind parameters with php and mysql, but you need to use PHP Data Obejcts. Check out these links for more info: http://www.metonymie.com/codewerks/2008/05/07/using-pdo-in-php-with-mysql.html http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html#10 You can use bind parameters with php and mysql, but you need to use PHP Data Obejcts.

Check out these links for more info:
http://www.metonymie.com/codewerks/2008/05/07/using-pdo-in-php-with-mysql.html
http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html#10

]]> By: Mike M http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-11 Mike M Fri, 05 Dec 2008 19:20:54 +0000 http://thephpblog.com/?p=42#comment-11 In the examples above the entire sql command is built into a string and the string is given to the database to execute. hopefully the components of the string have been validated so the command you intend to run is actually run. I'm not sure if php+mysql can bind parameters yet, I use php+sql server and it can. Running stored procedures with bound parameters occurs as follows. You create a stored procedure, which is like a function, but stored within the database and contains in/out parameters, result sets, and programming logic. In php you generally instantiate a database object, using methods you make a connection, add parameters, name the stored procedure, tell it to run the stored procedure. After that, you can interrogate the return code, out parameters, as well as loop though result sets. You never build a sql string. You say: parameter X is integer and here is the value of it, parameter Y is string and here is the value, you say the name of the stored procedure is ABC, you then say run the stored procedure, etc. There is no way to put fake values into the parameters and cause a different/extra sql command to run. look at the "Example #1 mssql_bind() example" code here for a good example: http://us3.php.net/manual/en/function.mssql-bind.php In the examples above the entire sql command is built into a string and the string is given to the database to execute. hopefully the components of the string have been validated so the command you intend to run is actually run.

I’m not sure if php+mysql can bind parameters yet, I use php+sql server and it can.

Running stored procedures with bound parameters occurs as follows. You create a stored procedure, which is like a function, but stored within the database and contains in/out parameters, result sets, and programming logic. In php you generally instantiate a database object, using methods you make a connection, add parameters, name the stored procedure, tell it to run the stored procedure. After that, you can interrogate the return code, out parameters, as well as loop though result sets. You never build a sql string. You say: parameter X is integer and here is the value of it, parameter Y is string and here is the value, you say the name of the stored procedure is ABC, you then say run the stored procedure, etc. There is no way to put fake values into the parameters and cause a different/extra sql command to run.

look at the “Example #1 mssql_bind() example” code here for a good example:
http://us3.php.net/manual/en/function.mssql-bind.php

]]> By: Thales http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-9 Thales Thu, 04 Dec 2008 14:08:16 +0000 http://thephpblog.com/?p=42#comment-9 What is a bind parameter? What is a bind parameter?

]]> By: Mike M http://thephpblog.com/read/the-ins-and-outs-of-sql-injection/comment-page-1/#comment-7 Mike M Mon, 01 Dec 2008 15:24:07 +0000 http://thephpblog.com/?p=42#comment-7 The best way to avoid any injection is to only use stored procedures with bound parameters. I'm not sure MySQL can do this yet, the last time I checked you could use stored procedures but you couldn't bind parameters. I use SQL Server and every database call goes through stored procedures with bound parameters and there is zero chance of an injection attack. The best way to avoid any injection is to only use stored procedures with bound parameters. I’m not sure MySQL can do this yet, the last time I checked you could use stored procedures but you couldn’t bind parameters. I use SQL Server and every database call goes through stored procedures with bound parameters and there is zero chance of an injection attack.

]]>