Actually, user supplied input from $_COOKIES, $_POST, and $_GET comes
slash-escaped, so if the user enters
' or 1=1
as their input, the sql statement will look like
where some_int='\' or 1=1'

This is determined by the PHP directive, magic_quotes_gpc. During
script execution, you can execute
if (!get_magic_quotes_gpc()){
//code to recurse global variables, calling addslashes() on their values
}
to ensure that all user supplied input is properly escaped.

The proper escaping for ' and " in most databases (excluding Oracle and
Sybase only, I believe), is to use \', \", and \\.

In Oracle and Sybase, ' and " are escaped as '' and "". Magic quotes
in PHP can be configured for Sybase compatibility, see the PHP website.

What I do on my portable code, where I can't know whether or not the
server it's running on has magic quotes enabled, is use a function like
this:

function escape($input){
if (get_magic_quotes_gpc()) return $input;
return addslashes($input);
}

and all user input through that. As far as I know, all major databases
accept quoted integers and interpret them as standard integers, so
*always* quote user input so that they cannot inject SQL.

David Walker wrote:

>When programming a system that creates sql strings based on passed in integers
>i.e. where some_int=$variable_from_querystring
>you must always do a check to confirm that that variable contains only numeric
>data.
>
>an alternate fix on sql servers that allow the format
>where some_int='1234' -- (quoted numbers)
>would be to do
>where some_int='replace($variable_from_querystring,"'","''")'
>This would cause a more than likely harmless error to occur whenever character
>occurs within the passed in numeric/integer variable.
>
>
>

[ reply ]