FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 05-07-2008, 07:11 AM
Dax Solomon Umaming
 
Default SQL Injection immunity on Ubuntu

Hi,

I'm supposed to send this to ubuntu-users list but I believe this question's
more fitting to this list.

I've been developing web applications based on PHP and MySQL since Dapper, and
only now am I worried about SQL injection. You see, my next project's another
web app - but for our consumers (and there are a lot of smarter users out
there).

Our server's still using Gutsy, and I've tried snippets from
http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP
escaped them with . I've echoed almost all forms on my scripts with the same
results.

So now my questions are;
Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
If I move my PHP script to a freshly-installed Hardy, will I get the same
result?

Thanks
--
Dax Solomon Umaming
http://blog.knightlust.com/
GPG: 0x715C3547
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 05-07-2008, 07:28 AM
Onno Benschop
 
Default SQL Injection immunity on Ubuntu

On 07/05/08 15:11, Dax Solomon Umaming wrote:
> Hi,
>
> I'm supposed to send this to ubuntu-users list but I believe this question's
> more fitting to this list.
>
> I've been developing web applications based on PHP and MySQL since Dapper, and
> only now am I worried about SQL injection. You see, my next project's another
> web app - but for our consumers (and there are a lot of smarter users out
> there).
>
> Our server's still using Gutsy, and I've tried snippets from
> http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP
> escaped them with . I've echoed almost all forms on my scripts with the same
> results.
>
> So now my questions are;
> Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?
>
> Thanks
>
No, no, no, let me say that again, no.

SQL injections are *nothing* to do with the "LAMP stack on Ubuntu Server".

An SQL injection happens if you receive input from an unverified source
and send it to your SQL server.

Said in another way, it means that if you receive input from a user that
is sent to the SQL server, you are responsible as a developer to ensure
that it does not cause an SQL injection to happen.

Fortunately, PHP comes with a lovely function to help you:
mysql_real_escape_string()

The idea is that you escape each of the user supplied values, then
create an SQL query with the escaped strings.

For example:

$name = mysql_real_escape_string($_POST['name']) ;
$email = mysql_real_escape_string($_POST['email']) ;

$sql = sprintf('SELECT * FROM userTable WHERE name="%s" and
email="%s"', $name, $email) ;




--
Onno Benschop

Connected via Optus B3 at S3154'06" - E11550'39" (Yokine, WA)
--
()/)/)() ..ASCII for Onno..
|>>? ..EBCDIC for Onno..
--- -. -. --- ..Morse for Onno..

ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - onno@itmaze.com.au



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 07:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org