[aprssig] APRS IS streams and MySQL

Matti Aarnio oh2mqk at sral.fi
Sat Sep 12 13:41:02 EDT 2009


On Sat, Sep 12, 2009 at 09:24:44AM -0700, Jordan Hayes KG6UAE wrote:
> From: Jordan Hayes KG6UAE <kg6uae at arrl.net>
>> "given input from an outside source" where else does it come from ?
>
> (I'll use PHP but the idea is similar in other language bindings):
>    $q = "SELECT * from Table where Col LIKE 'A%'";
>
> There's no chance that *your own code* would be exploited, so you don't  
> *have* to use a PreparedStatement.  But if you're, say, writing a web  
> application, you might be tempted to do this:
>
>    $q = "SELECT * from Table where Col LIKE '" . $_REQUEST['col'] .  "%'";

An old joke about this issue was something like:

  "So you did decide to call your child  "';drop tables;'"  ?"

  "Yes we did, our lovely "drop tables" we call her.."


First MySQL integration layer for PHP did not have PreparedStatements.
For that matter, at that time they did not exist at MySQL either!

Current PHP has two MySQL interfaces:  MySQL  and  MySQLi  (i = improved)

The first one is full of "SQL injection" hazards, second one with
PreparedStatements is safe (presuming you use PreparedStatements).
First one has also  mysql_escape_string(), but it is poor substitute
for PreparedStatements.

On other programming languages...  Perl has DBI/DBD layer, which
presents uniform API to application (unlike PHP) for all databases
are usable thru that layer.   Same is true with Java SQL layers.

Be very careful!  Understand the hazards in your tools!

> More details here: http://en.wikipedia.org/wiki/SQL_injection
> /jordan 

73 de Matti, OH2MQK




More information about the aprssig mailing list