in reply to Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

if you want to be fairly sure that your code is SQL injection safe against typical attacks, then you should use typical attacks to test with. Most hackers use an up-to-date bundle of tricks, typically already in a script, to try to cause harm...and don't bother hand hacking. As such, the trivial test cases presented do not represent a typical SQL injection hackers bundle, by any stretch of imagination.
also, to help prevent SQL injection...normally you also untaint the data by an inclusion regex. e.g.
bad_input() if($cityname !~ /^[a-zA-Z .,]+$/);

[download]
..and never untaint by disallowing banned characters instead. you never know if your banned character list is complete.
the hardest line to type correctly is: stty erase ^H
  • Comment on Re: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
  • Download Code

Replies are listed 'Best First'.
Re^2: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
by erik (Sexton) on Jan 10, 2008 at 11:14 UTC
    You said that Most hackers use an up-to-date bundle of tricks, typically already in a script, to try to cause harm...and don't bother hand hacking. I didn't have much success looking that up in Google. Do you have any suggestion on resources/modules providing test cases of SQL injection or any other type of security threat? Such a module would be great for testing code safety or queries safety.

    BTW, when/if possible, it always seems safer to me to check inputs in a "white list" fashion. If you check that inputs contain only letters, numbers and underscores and don't exceed a certain length, that would probably increase security by a great deal.
[reply]
[reply]

In Section Meditations