php - SQL Injection prevention by replacing single-quote -


i've read replacing user input isn't safe sql injection. know (possibly example) what's wrong in (php):

function formatsql($testo){     return str_replace("'", "'", $testo); }  $username = formatsql($_post["username"]); $password = formatsql($_post["password"]);  $query = "select id utenti user='$username' , password='$password'";

i know what's wrong in (php)

the idea.

it has been proved flawed long time ago.

first of all, this code alter data. approach abstract musings crash application in real life. matter of fact, it's unacceptable behavior. however, escape quotes instead of replacing them.

second, (like of php folks) under delusion replacing characters makes data safe. while not. every php user cares reinvent wheel in field of injection protection assume strings being added query. never realize explicitly though, nor imagine other parts exists in sql query. while such replacement harmless other sql literal chicken. , name of function sure proof words.
say, have code this

$limit = formatsql($_post["limit"]); $query = "select id utenti limit $limit";

which welcome script-kiddie play db.

also, there term "user input" in reasoning, sure sign of second order injection.

taking step further, let's observe 2 kinds of applications: sort of silly home page script , relatively big web application. although code quite right former one, in latter 1 rules change. can have these 2 parts of code 

$username = formatsql($_post["username"]); $password = formatsql($_post["password"]);

and

$query = "select id utenti user='$username' , password='$password'";

dramatically separated each other. , here can slip many , many troubles, such double escaping, wrong escaping, no escaping @ all.

this why manual escaping has been considered bad practice long time ago.

instead, prepared statements have used, guarantee

  • complete formatting applied instead of silly "escaping" or "replacing"
  • different formatting applied different data types.
  • formatting applied right in place have - not sooner nor later.
  • proper formatting applied unconditionally, independently developer's or air.

this why prepared statements considered the proper way long time ago already.


Comments

Post a Comment

Popular posts from this blog

How to remove text and logo OR add Overflow on Android ActionBar using AppCompat on API 8? -

have researched death , cannot find answer. i have actionbar using appcompat. supporting api v7 (api v8 do). actionbar works api v11. api < v11 has problem of removing icon (and feature) actionbar without supplying overflow. big picture have app logo, app title, , 3 icons squidging same actionbar on low end phone. trying make room! i happy 1 of 2 solutions. either: a method of getting overflow functionality can retrieved pull down. (preferred) method of removing icon , text actionbar below current xml api 11+: <resources> <!-- base application theme api 11+. theme replaces appbasetheme res/values/styles.xml on api 11+ devices. --> <style name="appbasetheme" parent="theme.appcompat.light.darkactionbar"> <item name="android:actionbarstyle">@style/liteactionbarstyle</item> <item name="actionbarstyle">@style/liteactionbarstyle</item> </st...
Read more

html - How to style widget with post count different than without post count -

i have border below li elements in wordpress widget types appropriate. element inside set block gives them nice easy click full width. the problem, when choose option "show post count" when adding widget such categories or archives displays post count plain text after tag , because tag block pushes post number text line below. whether choose show post count or not show post count still gives exact same element identifyer example "widget_categories". how style post count not on next line still keep links non post count list items full width? here's example on sidebar www.bbmthemes.com/themes/modular/blog-standard/ in order solve problem need remove display:block; for ul.widgets ul a , add in it's place line-height: 33px; what going achieve have same visual effect. what going lose doing links going work on text , not on "box". the other way out of find post count coming , make changes this. example change text count i...
Read more

url rewriting - How to redirect a http POST with urlrewritefilter -

i have question urlrewritefilter , until not find in net. i want redirect http post in tomcat7. here example... the call http post ulr http://localhost:8080/oldapplication/example?a=123&b=2 this call contains content either xml or json. filter configured works , urlrewrite.xml contains: <?xml version="1.0" encoding="utf-8"?> <!doctype urlrewrite public "-//tuckey.org//dtd urlrewrite 4.0//en" "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd"> <urlrewrite use-query-string="true"> <rule> <condition type="method">post</condition> <from>^(.*)$</from> <to type="redirect">/newapplication$1</to> </rule> </urlrewrite> in access log can see call http://localhost:8080/oldapplication/example?a=123&b=2 gets redirected http://localhost:8080/newapplication/example?a=123&b=2 fine until now. pr...
Read more