SQL Injection immunity on Ubuntu

[Onno Benschop]

On 07/05/08 15:11, Dax Solomon Umaming wrote:
> Hi,
>
> I'm supposed to send this to ubuntu-users list but I believe this question's 
> more fitting to this list.
>
> I've been developing web applications based on PHP and MySQL since Dapper, and 
> only now am I worried about SQL injection. You see, my next project's another 
> web app - but for our consumers (and there are a lot of smarter users out 
> there).
>
> Our server's still using Gutsy, and I've tried snippets from 
> http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP 
> escaped them with \. I've echoed almost all forms on my scripts with the same 
> results.
>
> So now my questions are; 
> Is the default LAMP stack on Ubuntu Server immune from SQL Injections? 
> If I move my PHP script to a freshly-installed Hardy, will I get the same 
> result?
>
> Thanks
>   
No, no, no, let me say that again, no.

SQL injections are *nothing* to do with the "LAMP stack on Ubuntu Server".

An SQL injection happens if you receive input from an unverified source
and send it to your SQL server.

Said in another way, it means that if you receive input from a user that
is sent to the SQL server, you are responsible as a developer to ensure
that it does not cause an SQL injection to happen.

Fortunately, PHP comes with a lovely function to help you:
mysql_real_escape_string()

The idea is that you escape each of the user supplied values, then
create an SQL query with the escaped strings.

For example:

    $name = mysql_real_escape_string($_POST['name']) ;
    $email = mysql_real_escape_string($_POST['email']) ;

    $sql = sprintf('SELECT * FROM userTable WHERE name="%s" and
    email="%s"', $name, $email) ;




-- 
Onno Benschop

Connected via Optus B3 at S31°54'06" - E115°50'39" (Yokine, WA)
--
()/)/)()        ..ASCII for Onno..
|>>?            ..EBCDIC for Onno..
--- -. -. ---   ..Morse for Onno..

ITmaze   -   ABN: 56 178 057 063   -  ph: 04 1219 8888   -   onno at itmaze.com.au