Subject Re: [firebird-php] PHP & Firebird SQL Injection Protection
Author Yves Glodt
myles@... wrote:
> I have read a lot of documentation about protecting one's PHP applications
> from SQL Injection hacking, but all examples I read are based on MySQL. I
> use Stored Procedures in Firebird for EVERYTHING and consequently it looks
> like this alone is a great way to protect my database from hacking attempts.
> However I would like to know if others have adopted any particular tricks to
> protect their PHP apps from SQL Injection hack attacks with Firebird. If
> anyone has any functions that they have develops that 'sanitizes' any fields
> before using them for INSERTs, etc. I'd love to take a look at what you may
> have done.

A first and very important recommendation would be to use parameterized
queries (by using placeholders), and never put form data directly into
the sql you pass to ibase_query() or ibase_execute().

Here is an exampl for ibase_execute():

For ibase_query you can do like this:

$sth = ibase_query($,'select a from b where c = ? and d = ?',$c,$d);

And, of course, use register_globals = off in php.ini (though in 2006 I
guess the times it defaulted to "on" should be past... ;-) )

Best regards,

> Thanks in advance for any examples.
> Myles
> ============================
> Myles Wakeham
> Director of Engineering
> Tech Solutions US, Inc.
> Scottsdale, Arizona USA
> Phone (480) 451-7440