Page is a not externally linkable
jcaron - 1:42 pm on May 27, 2008 (gmt 0)
Operating system, scripting / CGI language, database type? SQL injection can happen with any OS, any scripting language, and any SQL database as soon as there is an SQL database around. It is very common in PHP, as PHP programmers are used to do this like: which means that if the id passed is not checked, it may contain additional SQL, and the attacker can do anything they want on your database. In the majority of other languages (and now in PHP as well I believe, but it requires a switch to more recent APIs), you can use placeholders. E.g. in perl: This means the driver or abstraction layer will make sure that the ? will be replaced by the value passed, but correctly quoted so it can only be considered a value (usually an integer or a string), and can't be interpreted as SQL code. However, even in languages or with APIs that do provide placeholder syntax, many developpers still insert unchecked input directly into SQL queries, which is a very bad idea. So, the advice is: - if not, always check your input (e.g. that integers are actually integers), and for text always use the appropriate "quoting"/"escaping" function (that will make sure that the value passed is considered as a literal and nothing else) before inserting it into a query Of course, the worst case scenario is with the tons of software "out there" containing such code that has been copied thousands if not millions of times by webmasters all over the world who have no idea of what this all means :-( Jacques.
Can we be absolutely clear about what systems are infected here?
(BAD BAD BAD DON'T DO IT)
mysql_query("SELECT * FROM table WHERE id=" . $_GET[id]);$dbh->selectrow_array("SELECT * FROM table WHERE id=?",undef,$vars{id})
- if at all possible, switch to using a syntax with placeholders and separate values. Make sure you never insert a variable received from a web client directly into an SQL query, always use a placeholder