(This originally appeared here on 17 September 2007.)
I am pleased to announce that WASC has published a paper I wrote for the security articles project. The project is very nice, because all articles must pass through a critique and voting process by a peer group of security professionals (and I am proud to be among them when not wearing the hat of an author).

The Unexpected SQL Injection
(When Escaping Is Not Enough)

Abstract:
We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.

Full text: [HTML] [TXT] [ZIP (examples)]

13 Responses to “The Unexpected SQL Injection”
  1. Frederic says:

    hello…

    Hi there thanks for the quality post! http://ritama.20six.de/ ,i had a good read.thank you for your article,My problem continues to be resolved….

  2. sander says:

    hello…

    thank you for your article,My problem has been resolved. http://selina.glowindia.com/ , Thanks again….

  3. Xehmer says:

    hello…

    Hi there thanks for the quality post! http://rose11.normblogs.com/ ,i had a great read.appreciate your article,My problem has been resolved….

  4. Kugenie says:

    Nice…

    hello,very cool. http://blogs.hegatrading.com/akfmnmefva/2011/07/07/damas-dresses-in-houston-tx/ ,nice to meet you…

  5. Pehmer says:

    Great One…

    I must say, its worth it! My link!http://duffy071.journalspace.com/ ,thanks haha…

  6. Hehmer says:

    Great One…

    I must say, its worth it! My link!http://duffy071.skyrock.com/ ,thanks haha…

  7. venzingS says:

    really good article…

    I have spent a bit of time going through your posts, more than I should have but I must say, http://juning001.typepad.com/blog/2011/07/any-time-summertime-time-assemblage-bells-commemoration-commemoration-1-by-1-the-commemoration-in-ab.html#tp, many Th…

  8. Jenzing says:

    Great One…

    I must say, its worth it! My link, http://house-of.com/kris/,thanks haha…

  9. Benzing says:

    Great One…

    I must say ! http://ladygig.com/jjjdisuys/blog/ ,thanks haha…

  10. Matilde says:

    Great One…

    I must say ! http://shannon071.inube.com/ ,thanks haha…

  11. Jennifer Anderson says:

    Jennifer Anderson…

    […]n Hi there! Someone in my Myspace group shared this site with us so I came to nz[…]…

  12. ORLANDO says:


    Buy Viagra

    Buy Unique Pharmacy Today!…

  13. wayne says:

    trusted@pillspot.com” rel=”nofollow”>.…

    hello….

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

FireStats icon Powered by FireStats