Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Server Development (http://www.linux-archive.org/ubuntu-server-development/)
-   -   SQL Injection immunity on Ubuntu (http://www.linux-archive.org/ubuntu-server-development/83488-sql-injection-immunity-ubuntu.html)

Dax Solomon Umaming 05-07-2008 07:11 AM

SQL Injection immunity on Ubuntu
 
Hi,

I'm supposed to send this to ubuntu-users list but I believe this question's
more fitting to this list.

I've been developing web applications based on PHP and MySQL since Dapper, and
only now am I worried about SQL injection. You see, my next project's another
web app - but for our consumers (and there are a lot of smarter users out
there).

Our server's still using Gutsy, and I've tried snippets from
http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP
escaped them with . I've echoed almost all forms on my scripts with the same
results.

So now my questions are;
Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
If I move my PHP script to a freshly-installed Hardy, will I get the same
result?

Thanks
--
Dax Solomon Umaming
http://blog.knightlust.com/
GPG: 0x715C3547
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Onno Benschop 05-07-2008 07:28 AM

SQL Injection immunity on Ubuntu
 
On 07/05/08 15:11, Dax Solomon Umaming wrote:
> Hi,
>
> I'm supposed to send this to ubuntu-users list but I believe this question's
> more fitting to this list.
>
> I've been developing web applications based on PHP and MySQL since Dapper, and
> only now am I worried about SQL injection. You see, my next project's another
> web app - but for our consumers (and there are a lot of smarter users out
> there).
>
> Our server's still using Gutsy, and I've tried snippets from
> http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP
> escaped them with . I've echoed almost all forms on my scripts with the same
> results.
>
> So now my questions are;
> Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?
>
> Thanks
>
No, no, no, let me say that again, no.

SQL injections are *nothing* to do with the "LAMP stack on Ubuntu Server".

An SQL injection happens if you receive input from an unverified source
and send it to your SQL server.

Said in another way, it means that if you receive input from a user that
is sent to the SQL server, you are responsible as a developer to ensure
that it does not cause an SQL injection to happen.

Fortunately, PHP comes with a lovely function to help you:
mysql_real_escape_string()

The idea is that you escape each of the user supplied values, then
create an SQL query with the escaped strings.

For example:

$name = mysql_real_escape_string($_POST['name']) ;
$email = mysql_real_escape_string($_POST['email']) ;

$sql = sprintf('SELECT * FROM userTable WHERE name="%s" and
email="%s"', $name, $email) ;




--
Onno Benschop

Connected via Optus B3 at S3154'06" - E11550'39" (Yokine, WA)
--
()/)/)() ..ASCII for Onno..
|>>? ..EBCDIC for Onno..
--- -. -. --- ..Morse for Onno..

ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - onno@itmaze.com.au



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam


All times are GMT. The time now is 06:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.