LinkBack URL
About LinkBacksThought I'd write up an article explaining the risks of SQL injections and how to prevent them. Useful if you're developing database driven applications.
Clicky Here
x10 Lieutenant
Thought I'd write up an article explaining the risks of SQL injections and how to prevent them. Useful if you're developing database driven applications.
Clicky Here
Abuse Compliance Officer
Now THIS'll come in handy for me - theres a systems project a group is working on for my college (I'm in that group actually). Granted, the users able to access the system aren't going to be doing this stuff anyways but I'm still gunna code against it
Thanks ^_^
Edit: Hey, quick question: Could this also be countered by changing the SQL users privileges so all they can do is select statements? I mean, they can't delete something if the user that they're logging in as can't use a delete statement, right?
Last edited by Livewire; 01-28-2007 at 11:23 PM.
TOS breakers will be suspended regardless of race, creed, national origin, hair color, or favorite food. Thanks for your understanding!
x10 Lieutenant
Thats correct yes, you can modify the permissions for a the user and this will prevent them from causing harm. This is a perfectly good way of doing things, and in production servers, it is recommended. However it can cause problems for the administration system for the site as you can't delete or modify records. The way to get around this is to have another field in the tables (for example a posts table) that is a boolean value "deleted". Then when you want to delete a field from in the application, you simply set that value to true, and when displaying the records, don't show any with the deleted field set to true.
I personally prefer to defensively code against SQL injection attacks because its just good practice and means that when people install your application they don't have to worry about setting up separate user accounts with specific privileges.
Its personal preference, but yes you can user permissions.
Abuse Compliance Officer
Killer, means I dun need to recode my website for the 400th time
The system for college I do need to do your thing with though, I already know that even though the server is using users, they're also all set to "all privileges." If you've taken so much as one class there you could destroy the whole site :S
TOS breakers will be suspended regardless of race, creed, national origin, hair color, or favorite food. Thanks for your understanding!
x10 Lieutenant
ouch yea that sounds dangerous... just make sure you use mysql_real_escape_string() on stuff and you really can't go wrong.
Posting Permissions
Reply With Quote