| Subject | Re: [firebird-php] PHP & Firebird SQL Injection Protection |
|---|---|
| Author | Yves Glodt |
| Post date | 2006-05-17T07:04:30Z |
myles@... wrote:
queries (by using placeholders), and never put form data directly into
the sql you pass to ibase_query() or ibase_execute().
Here is an exampl for ibase_execute():
http://lu2.php.net/manual/en/function.ibase-execute.php
For ibase_query you can do like this:
$sth = ibase_query($,'select a from b where c = ? and d = ?',$c,$d);
And, of course, use register_globals = off in php.ini (though in 2006 I
guess the times it defaulted to "on" should be past... ;-) )
Best regards,
Yves
> I have read a lot of documentation about protecting one's PHP applicationsA first and very important recommendation would be to use parameterized
> from SQL Injection hacking, but all examples I read are based on MySQL. I
> use Stored Procedures in Firebird for EVERYTHING and consequently it looks
> like this alone is a great way to protect my database from hacking attempts.
>
> However I would like to know if others have adopted any particular tricks to
> protect their PHP apps from SQL Injection hack attacks with Firebird. If
> anyone has any functions that they have develops that 'sanitizes' any fields
> before using them for INSERTs, etc. I'd love to take a look at what you may
> have done.
queries (by using placeholders), and never put form data directly into
the sql you pass to ibase_query() or ibase_execute().
Here is an exampl for ibase_execute():
http://lu2.php.net/manual/en/function.ibase-execute.php
For ibase_query you can do like this:
$sth = ibase_query($,'select a from b where c = ? and d = ?',$c,$d);
And, of course, use register_globals = off in php.ini (though in 2006 I
guess the times it defaulted to "on" should be past... ;-) )
Best regards,
Yves
> Thanks in advance for any examples.
>
> Myles
>
>
> ============================
> Myles Wakeham
> Director of Engineering
> Tech Solutions US, Inc.
> Scottsdale, Arizona USA
> Phone (480) 451-7440
> www.techsol.org