Secure Insert Statement

Anon

Hello,

I've been developing data driven sites for about 3 years now, yet within a controlled corporate environment. The treat of someone writing an SQL statement within one of my text boxes has been very low. Over the years I've seen and had a few discussion with my peers in respect to protecting the database from someone with enough knowledge about HTTP and SQL to write an SQL statement that will drop my Database within one of my text boxes. BAM and I'm down in the water! I have since then created a few data driven sites on the Internet and every once in a while I
think about someone dropping my site with this technique. In Theory, All I have to do is parse for a few of the special programming characters and replace them with the ASSCII equivelent...so I believe.

SO MY QUESTION:
Does anyone know where is a good online tutorial in any languge that addresses this issue? I would prefer the PHP3 version so I know the methods I can work with but any language would do since I'm able to identify similar methods across programming language.....Hail the method makers!

Mike

spider_man

Well, in my experience I can tell you that as long as your text is enclosed by quotes and has all the quotes commented, wich is automagically done by the magic quotes enabled, your SQL statement will be secure.
Besides, you can work on the security permisions; most of the times, when a select statement is enough, you can use a user with only that priviledge.

Hope it helped.

You can find a bunch of articles about the subject in Devshed.