Attack Alert :: Escaping SQL

Attack Alert :: Escaping SQL

Attack Alert :: Escaping SQL

Sometimes excaping quotes is not enough

        
              $sql = "SELECT id, headline, author
              FROM news WHERE cat_id = " . add_slashes ($_REQUEST['category_id']);

Evil Inputs:

        
              12 UNION SELECT 1337,username,password FROM user

        
              12; UPDATE news SET headline =
              (SELECT password FROM user
              WHERE
            
              username = char (97,100,109,105,110))
              WHERE id = 1234

Parameter Binding
Type casting
White Listing
Enclose all data in quotes (DBMS Specific/Performance issues)