Attack Alert :: Escaping SQL
Attack Alert :: Escaping SQL
Sometimes excaping quotes is not enough
$
sql
=
"SELECT id, headline, author FROM news WHERE cat_id = "
. add_slashes
(
$
_REQUEST
[
'category_id'
]
)
;
Evil Inputs:
12
UNION
SELECT
1337
,username,password
FROM
user
12
;
UPDATE
news
SET
headline =
(
SELECT
password
FROM
user
WHERE
username =
char
(
97
,
100
,
109
,
105
,
110
)
)
WHERE
id =
1234
Parameter Binding
Type casting
White Listing
Enclose all data in quotes (DBMS Specific/Performance issues)