[prog] PHP script security

Cynthia Kiser cnk at ugcs.caltech.edu
Mon Aug 18 10:38:03 EST 2003 

Ahhhh. OK so AddSlashes is the PHP/mySQL equivalent of using bind
variables when passing queries from a web server to Oracle. Just out
of curiosity, do other databases have bind variables? or is that yet
another Oracleism?  

The other plus about using bind variables in Oracle is better
performance - Oracle can reuse the cached, parsed query in more
circumstances. If you use subsituted strings in your query 

  SELECT phone FROM the_table WHERE name='$name'

then queries for Jones and Smith both have to parse and then execute 

  SELECT phone FROM the_table WHERE name='Jones';
  SELECT phone FROM the_table WHERE name='Smith'; 

But if your query is 

  SELECT phone FROM the_table WHERE name=:name;

The query is the same no matter what value is passed for name. (Small
advantage but it all adds up if you have a busy enough database.)


Quoting Dan Richter <daniel.richter at wimba.com>:
> 
> >OK I'll bite. How will escaping out ' and \ make you safe from
> >hackers?
> 
> Okay, let's say you have an online phone directory (say, for a company). 
> You invite the user to enter a name and your PHP code retrieves the phone 
> number. It might do it like this:
>    mysql_query("SELECT phone FROM the_table WHERE name='$name'");
> Of course, $name is the name the user entered.
> 
> Note that we didn't tell the program to change any data, just retrieve it.
> 
> Then one day someone enters this name:
>    '; DROP TABLE the_table;
> 
> That makes your query:
>    SELECT phone FROM the_table WHERE name='';
>    DROP TABLE the_table;
>    ';
> 
> The SQL parser will probably execute the two syntactically correct 
> statements before reporting an error on that quote at the end. And even the 
> problem of that ending part can be overcome with a little effort.
> 
> Of course, database permissions might not allow the web server to perform 
> that operation, but some less destructive attacks may still be possible. A 
> simple call to AddSlashes removes the possibility for abuse.

-- 
Cynthia N. Kiser
cnk at ugcs.caltech.edu

More information about the Programming mailing list