The most basic rule it that the front end UI elements must have no SQL in them, just references back to your scripts that contain the SQL. The reason for this is that these elements can be freely hacked.
So instead of an HTML menu like:
and then have a lookup table where you translated the value to the actual SQL.<select name="report_menu"> <option value="Select * from myTable">My cool SQL report</option> <option value="Select * from myTable where foo=bar">my other cool repo +rt</option> </select> You would do: <select name="report_menu"> <option value="1">My cool SQL report</option> <option value="2">my other cool report</option> </select>
You can accept user input for some of the values in the SQL, but you have to carefully check/filter the values (ALWAYS!!) to make sure that they don't contain nasty SQL injections. One quick and dirty way to do this is to limit inputs to alphanums only, (or something more complex if needed).
Good Luck!
-------------------------------------
Nothing is too wonderful to be true
-- Michael Faraday
In reply to Re: Avoiding SQL insecurities
by freddo411
in thread Avoiding SQL insecurities
by FubarPA
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |