[Wolves] PHP Sql select losing a row

Chris Ellis chris at intrbiz.com
Mon Jul 15 22:56:53 UTC 2013

Hi Wayne

I'm deeply concerned by your poor attitude to security, there is no excuse
for building applications which are vulnerable to both SQL Injection and
Cross-Site Scripting vulnerabilities like your code sample is.  Remember,
that under the Data Protection Act, a business has a responsibility to look
after the data it is storing.

Using the code sample in a production system, in my view is being
professionally negligent.  Esd pecially given community members have
pointed out the issues.

In general terms, whenever data traverses a trust boundary it must be
validated.  For web applications, data must be validated for every single
request.  You cannot use a request parameter without first validating it.
Never trust your users, they might not act maliciously, but they will act
foolishly, never trust data they input.

1) You should never concatenate data into SQL queries without escaping it,
its one function call.  Preferably use prepared statements.

  $queryz = "SELECT * FROM property WHERE postcode like '%$postcodevoid%'
and let = '1'";

If $postcodevoid where to be something like:

  '; DROP TABLE property; --

Your going to have a bad day.

2) You should never output data in HTML without HTML escaping it.

  print("<TD width=10% wrap style=\"wrap: 1 solid
#800000\">".$rowz["address1"]. " </td>    ". " ");

If $rowz["address1"] where to be something like:


Your going to have a bad day.

I'll leave you with: http://xkcd.com/327/

Chris Ellis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20130715/2d6c285f/attachment.html>

More information about the Wolves mailing list