Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

Yasuo Ohgaki Thu, 06 Aug 2015 18:37:52 -0700

On Fri, Aug 7, 2015 at 10:29 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:


> Even if there is identifier  placeholder, SQL keyword remains.
> So to be perfect, you'll need another place holder for SQL keywords.
> There is no escaping for SQL keywords and it has to be validation.
> e.g. ORDER BY {$_GET['order']}
>

Oops the last line should be
e.g. ORDER BY col {$_GET['order']}

BTW, instead of improving PHP, users are better to request "identifier
escape API"
to DB developers like PQescapeIdentifier() in PostgreSQL's client library.
IMO.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

Reply via email to