How to avoid SQL injection exploits...
Date: Saturday, December 06 @ 16:18:22 CET Topic: PHP-Nuke
This was posted on bugtraq December 4th. It seems rather basic, but nonetheless important information for php authors. I don't agree with using javascript to verify errors, since the javascript can (and is!!) vulnerable to not providing adequate checks, and then you must assume it processed correctly, which isn't a good idea.
IMPORTANT INFORMATION FOR ALL DEVELOPERS OF PHP.
I recommend that never leave to insert special characters in input box.
Normally in Input Box only is necessary numeric or alphanumeric data
For solution this SQL Injection you can use these functions:
ctype_alnum -- Check for alphanumeric character(s)
ctype_alpha -- Check for alphabetic character(s)
ctype_cntrl -- Check for control character(s)
ctype_digit -- Check for numeric character(s)
ctype_graph -- Check for any printable character(s) except space
ctype_lower -- Check for lowercase character(s)
ctype_print -- Check for printable character(s)
ctype_punct -- Check for any printable character which is not whitespace or
an alphanumeric character
ctype_space -- Check for whitespace character(s)
ctype_upper -- Check for uppercase character(s)
ctype_xdigit -- Check for character(s) representing a hexadecimal digit
Normally you verify data with Javascript in Client but you must verify data
in file that receive POST Form. In the file that receive the POST data you
can use these functions.
ADDITIONAL INFO:
http://es2.php.net/manual/en/ref.ctype.php
For use these functions you must discomment library in php.ini file:
;Windows Extensions
extension=php_ctype.dll
Javier Morueco
|
|