SQL Injection concerns

Report · Nov 23, 2008

I have been studying sql injection attacks and the mysql_real_escape function.

I read the adobe technote about sql injection and it noted that Dreamweaver 8.0 incorporates anti-sql injection code to prevent attacks and it specifically refers to Add, Delete, and Update; Filtered Recordsets, and Login User server behaviors. Can anyone please confirm this to put my mind at ease?

The Search form and results page uses a filtered recordset, so can I presume that it is guarded from attack?

Can you tell me of any areas that I need to add anti-sql injection code myself?

Thank you so much for your help!

Report · Nov 23, 2008

EviePhillips wrote:
> The Search form and results page uses a filtered recordset, so can I presume
> that it is guarded from attack?

If you are using code created by Dreamweaver 8.0.2 or later, yes.

> Can you tell me of any areas that I need to add anti-sql injection code
> myself?

Dreamweaver 8.0.2 fixed the SQL injection vulnerabilities in all server
behaviors. If you have created any code yourself, you need to filter all
user input.

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Dec 01, 2008

Okay, I created a contact page which is a form and it posts to another page with the email script and html that says, Your message has been received, yada, yada. I coded this email script myself, so on this page, the page that the form POSTS to, I added the mysql_real_escape_string(etc.) to each form field that is posted. I didn't get any errors, so I think I am good.

BIG QUESTION: Now what about a Form that posts to another page. I don't code anything myself. On the page that the Form posts to, I created Form Variables in the Binding panel. I then drag the form variables to this page to show the user their input.

The code on this second page (the one where the form posts to) ECHOs the form variables. Do I need to enter the mysql_real_escape_string around each of the ECHOed posted form variables?

I am then going to use the ADD Record server behavior to add the data to my database from this page, which based on your counsel is fully protected from sql injection.

You are very kind for sharing your knowledge!
EP

Report · Dec 05, 2008

EviePhillips wrote:
> The code on this second page (the one where the form posts to) ECHOs the form
> variables. Do I need to enter the mysql_real_escape_string around each of the
> ECHOed posted form variables?

No, mysql_real_escape_string() is used only when inserting user input
values into a database. You cannot use it without a database connection.

However, you should pass the values to htmlentitities() before
displaying them in your page. You can do this by accessing the Format
menu in the Dynamic Text dialog box. After using the Bindings panel to
insert the value, switch to the Server Behaviors panel, and double-click
the Dynamic Text entry to open the dialog box.

> I am then going to use the ADD Record server behavior to add the data to my
> database from this page, which based on your counsel is fully protected from
> sql injection.
>
> You are very kind for sharing your knowledge!
> EP
>

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS4",
"PHP Solutions" & "PHP Object-Oriented Solutions"
http://foundationphp.com/