[Techtalk] SQL learning pointers
Kai MacTane
kmactane at GothPunk.com
Mon Dec 2 18:03:43 EST 2002
At 12/2/02 04:34 PM , Carolyn Hicks wrote:
>"SELECT * FROM contacts WHERE surname='$surname'"
>
>A malicious user could type something like
>
>'; UPDATE contacts SET firstname='u R hAX0r3d'
>[snip]
>To avoid this, you just need to make sure all user input is escaped, with
>any quotes and semicolons treated as literal characters.
Actually, the way I generally handle this sort of thing is to *only* give
them the characters they need. Who the hell has a semicolon in their name?
If the field is "Phone Number", they get 0-9, ( ) and -, plus space. That's
it. If the user enters anything containing any other character, they get a
message asking them to enter a valid phone number.
Names, OTOH, *can* have apostrophes (single quotes) in them, in names like
Conan O'Brien or Me'Shell Ndege'Ocelo. So those need to be escaped. But I
deal with that *after* throwing out any weird characters.
My view is, the more characters you let them use, the more creative ways
they can find to mess things up.
--Kai MacTane
----------------------------------------------------------------------
"Before you slip into unconsciousness,
I'd like to have another kiss,
Another flashing chance at bliss..."
--The Doors,
"The Crystal Ship"
More information about the Techtalk
mailing list