|
|
|
Question : Protecting against injection attacks
|
|
I'm reading the PHP Security Consortium security manual and just read this about injection attacks:
"If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type."
I use double quotes for most if not all of my data. If you're mysql_real_escap-ing all input, does it make any difference whether you use single or double quotes, from a security perspective? I can't think of any reason it would better protect against injection attacks, but maybe I'm missing something?
Sorry if this is trivial.
|
Answer : Protecting against injection attacks
|
|
Just to add, another PHP function that is very useful and related to the sentence from the security guide is the is_numeric function http://us2.php.net/is_numeric when it comes to working with numeric values within SQL commands. I believe their suggestion to place quotes around numeric values is intended to make it more difficult to attempt an injection, e.g.:
$sSQL = "SELECT NumericColumn FROM TableName WHERE NumericColumn = ".$_GET['ID'];
In this case it would be easier to alter the URL argument assuming one knows the table name, e.g.:
somepage.php?ID=0; DELETE * FROM TableName;
as opposed to using quotes around the numeric value which again works in some databases including mySQL but not in MS SQL Server, e.g.:
$sSQL = "SELECT NumericColumn FROM TableName WHERE NumericColumn = '".$_GET['ID']."'";
This make it more difficult to inject malicious statements (but not impossible) as one would have to have something like
somepage.php?ID=0'; DELETE * FROM TableName WHERE NumericColumn LIKE '%;
The quotes make it more difficult as they would have to match exactely. Newer version of most database systems will by default prevent multiple SQL statement executions so the examples above would not work but there are probably still many vulnerable systems.
The is_numeric functions is very useful for a quick check:
$nID = $_GET['ID'];
if(is_numeric($nID)) {
$sSQL = "SELECT NumericColumn FROM TableName WHERE NumericColumn = '".$nID."'";
// Execute query...
}
|
|
|
|
|
|
|
