SQL Injection Defenses Confirmed Errata

Errata

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question

Version	Location	Description	Submitted By	Corrected
Printed	Page 5.1.4 Just before 5.1.5 begins	It says "you may need to find or write your own input filtering function, or at least use the addslashes() function as a last resort." This is no longer a good last resort, since the discovery of Unicode-based SQL injection vulnerabilities that use Unicode encodings of (e.g.) apostrophes. Also, not all databases accept backslash as an escape of single quotes. The database-specific quoting mechanism (e.g., pg_escape_string for PostgreSQL) must be used. Writing your own input filtering function should be discouraged for the same reason. Note from the Author or Editor: At the time of writing (early 2007), addslashes() was viewed as sufficient protection, according to industry guidance from Chris Shiflett (Essential PHP Security), and OWASP. I agree that it does not provide protection from encoded attacks, so reinforce my guidance in the earlier part of that section: Use PDO, which is available in PHP 5. Thanks, -Martin	Anonymous

Version

Location

Description

Submitted By

Corrected

Printed

Page 5.1.4
Just before 5.1.5 begins

It says "you may need to find or write your own input filtering function, or at least use the addslashes() function as a last resort."

This is no longer a good last resort, since the discovery of Unicode-based SQL injection vulnerabilities that use Unicode encodings of (e.g.) apostrophes. Also, not all databases accept backslash as an escape of single quotes. The database-specific quoting mechanism (e.g., pg_escape_string for PostgreSQL) must be used. Writing your own input filtering function should be discouraged for the same reason.

Note from the Author or Editor:
At the time of writing (early 2007), addslashes() was viewed as sufficient protection, according to industry guidance from
Chris Shiflett (Essential PHP Security), and OWASP. I agree that it does not provide protection from encoded attacks, so reinforce my guidance in the earlier part of that section: Use PDO, which is available in PHP 5.

Thanks,

-Martin

Anonymous