Wietse Venema schrieb: > Stefan Esser: > >> 2) Using mysql_real_escape_string() on user input does not make it safe >> for SQL. It only makes SQL strings safe. >> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) >> is NOT secure but will result in no taint warning >> > > Can you give a specific example? I'd like to know how likely such > things would be in real code. > I have to search for an example where mysql_real_escape_string is used wrongly like this....
However the "bigger" problem is that if the statement is like "SELECT * FROM table WHERE id=$id" which *IS* quite common in insecure code your patch will give the following warning: "contains data that is not converted with mysql_real_escape_string()" This gives the message to the uneducated user (and that is the one you want to protect) to write something like this in his code. "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) The PHP taint mode will stop crying and that teaches the developer the WRONG message. And just look into blogs... People even add user input into SQL comments and wrongly use mysql_real_escape_string() there, which is completely nonsense. Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
