[NBLUG/talk] CGI programming memory lapse

Chris Palmer chris at eff.org
Wed Jun 7 13:21:06 PDT 2006

Suzanne Aldrich writes:

> What I don't understand is, since everyone knows SQL injections are a
> problem, why isn't there a standard function that will clean up any
> user submitted data before performing SQL operations? Or, perhaps
> there could be a default setting that would just automagically screen
> for attacks.

There are.  First, a best practice is to use prepared statements in SQL,
if your SQL interface library supports them.  I understand recent
versions of PHP, or PHP with a certain add-on, allows you to do prepared
statements.  With prepared statements (aka "using bind variables" or
such), you essentially have a static query that is parameterized,
instead of a dynamically-generated-from-user-input query.

Additionally, PHP has a function called mysql_real_escape_string which
supposedly escapes any special SQL characters:


Using that function, and/or prepared statements, is great.  But you're
going to need real data validation *also*, *always*.  So you should do
that as well.  Belt and suspenders!

> This security-as-an-afterthought method of designing
> languages/platforms is really hurting our ability to develop new and
> innovative applications. If I'm spending half my time worrying about
> script-kiddies, I don't have as much opportunity to invent a useful
> feature or write comprehensive documentation or do usability testing.

It's true, and languages that have automatic safe-guards (checked
exceptions, dynamic arrays, strong typing, et c.) are nice.  But you
always have to spend lots of effort validating data and logic,
regardless of language or platform.  There is no magic solution, there
are only techniques that are less blatantly wrong.  :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://nblug.org/pipermail/talk/attachments/20060607/dfc345b2/attachment.pgp

More information about the talk mailing list