Geek Answers Handbook

Can dynamic SQL be allowed sometimes without disinfection?

My PHP project partner aims to always sanitize integer values ​​in dynamic SQL. If possible, we use parameterized queries. But the UPDATE and DELETE conditions Zend_Db_Adapterrequire an unparameterized SQL string. That's why I, without even thinking, always write something like:

$db->delete('table_foo', 'id = ' . intval($obj->get_id()));

This is equivalent, but this is a shorter version (I checked the ZF source code):

$db->delete('table_foo', $db->qouteInto('id = ?', $obj->get_id(), 'INTEGER'));

My partner strongly objects to this intval(), saying that if the $objID is zero (the object has not yet been saved to the database), I will not notice an error, and the database operation will simply be performed silently. What really happened to him.

He says that if we sanitize all the entered HTML forms, there is no way for the integer ID to fall into '; DROP TABLE ...'either ' OR 1 = 1'or another unpleasant value and be inserted into our SQL queries. So I'm just paranoid and I make our lives unnecessarily complicated. "Stop trusting meanings $_SESSION, then," he says.

However, for string value conditions, he agrees with:

$db->update->(
    'table_foo',
    $columns,
    'string_column_bar = ' . $db->qoute($string_value))
);

I could not prove that he was wrong, and he could not prove that I was wrong. Can you do it?

+5
source share
8 answers

What do you think is the bigger problem:

  • You must track the error that did not cause the SQL query to fail.
  • , , - .

, . .

, : , null, intval() . .

+7

, : , . , HTML-, - , , . , .

& ;

+10

, - ( DB) .

. , . - , - .

, , , , , . , , , .

SQL-, - .

+3

, , HTML-. , , HTML, - , ? intval() .

+1

, , , imo...
.

, ...

0

Zend, , $db- > quoteInto() $db- > quote, (string) intval ($ value) INTEGER .

undefined, $db → _ quote(). :

protected function _quote($value)
{
    if (is_int($value) || is_float($value)) {
        return $value;
    }
    return "'" . addcslashes($value, "\000\n\r\\'\"\032") . "'";
}

( ), $db- > delete .

0

, . , . , SQL- .

0

All data received from the form must be disinfected. With no exceptions. All data retrieved from your system must already be sanitized before it enters your system, and therefore should not be sanitized when retrieved from the system.

So the question is: where is this integer coming from?

0
source

More articles:


All Articles