RE: [PHP] SQL security

Eugene Lee <mailto:list-php-1@fsck.net>
on Friday, October 17, 2003 8:20 AM said:

> If you're using MySQL, you can use mysql_real_escape_string(). If
> you're using another database, hopefully there is a similar function.

Doesn't MySQL automatically protect against attacks like SQL injection?
Or maybe it's that it automatically applies addslashes()? I can't
remember exactly.


c.


--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

--- "Chris W. Parker" <cparker@swatgear.com> wrote:
> Doesn't MySQL automatically protect against attacks like SQL
> injection? Or maybe it's that it automatically applies addslashes()?

Nope and nope.

What you might be thinking of is that mysql_query() only allows a single query
to be executed. This helps, but it doesn't prevent everything. It only prevents
SQL injection attacks that attempt to terminate the current query and execute
another one.

Chris

=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp

>> If you're using MySQL, you can use mysql_real_escape_string(). If
>> you're using another database, hopefully there is a similar function.
>
>Doesn't MySQL automatically protect against attacks like SQL injection?
>Or maybe it's that it automatically applies addslashes()? I can't
>remember exactly.

No - I don't think any database could automatically protect against SQL
injection, since the basis of that attack is the malformation of queries
before they even hit the DB. There is a magic quotes feature, which adds
slashes to request variable. You may be thinking of that:

<http://php.net/manual/en/ref.info.php#ini.magic-quotes-gpc>

---------------------------------------------------------------------
michal migurski- contact info and pgp key:
sf/ca http://mike.teczno.com/contact.html