[EHPweb] Safe SQL
Eric M Martinez
emartinez at usgs.gov
Tue Nov 4 18:10:30 GMT 2008
All,
As I am closely perusing essentially the entire website during the
migration to SVN I've noticed some troubling practices regarding SQL.
This involves neither cleansing inputs or outputs to/from the
database. Failure to do so can result in SQL injection and cross-site
scripting (XSS). While the latter is undesirable , the former can
potentially expose us to intentional and/or accidental loss of data
integrity.
The solution to this is to cleanse all inputs before inserting into a
database or echoing values to a user. Since any reads done from the
database should now be reading cleansed input, you can safely echo
this directly to the user, however if echoing user-input directly from
a form, you should certainly make sure to cleanse it before doing so.
Cleansing input can be done in a variety of ways...
... for MySQL integers use the PHP function "intval"
... for MySQL decimals use the PHP function "floatval"
... for MySQL strings use the PHP function "mysql_real_escape_string"
... for content to be echoed to the user (in a browser) use the PHP
function "htmlspecialchars"
There are a variety of other functions that may also be useful. Read
the PHP documentation for more information. You can check out this
following example page I created that highlights these vulnerabilities
in an interactive fashion at:
http://ehpd-earthquake.cr.usgs.gov/unsafe.php
(This isn't an awesome page, but just something I threw together
quickly as an example.)
Moral of the story? Be careful when working with users. Cleanse your
inputs.
Thanks,
~Eric.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://geohazards.usgs.gov/pipermail/ehpweb/attachments/20081104/2ebc0dee/attachment.html
More information about the EHPweb
mailing list