O.G.R.E. is here!

[Morrus]

ah yes, the dread apostrophe (or Single Quote). That's actually a risk for SQL Injection attacks, and should be addressed ASAP.

EVERY field coming in from the screen that is incorporated into an SQL query should be run through a function to safety pad the value before it is concatenated to the query. I cannot stress that enough.

forex:
$val = $POST["txtName"];
$sql = "select * from Names where Name like '" + $val + ';"

this means that I can type "';drop database YourDB; select '" into the txtName text box on the screen and get it to run my bit of SQL to drop your database, or something else.

I'd have to look up the best recommendation for PHP, in general it's using a function like quotesmart() or just replacing all single quotes with a pair of single quotes.

$val = quotesmart($FORM["txtName"]);

Yeah, we have a programmer doing this. No point talking to me on how to program for PHP - I wouldn't even begin to understand it! Goes right over my head!

 

[Janx]

Yeah, we have a programmer doing this. No point talking to me on how to program for PHP - I wouldn't even begin to understand it! Goes right over my head!

Just pass it along to him. I'm always surprised by devs who forget to do this. It's part of standard practice to safetypad and validate datatype on all values I'm building into SQL. Any Pro developer should know this by now.

One could argue that this is just a table-making app and not critical for that level of caution. But kids in China, Russia, etc seem to have free time to launch attachs with scripts that test for this vulnerability. It's all fun until they take your site down. All for the lack of an extra function call that is consistently applied through out the code.

You can chalk it up to your dev made a mistake. His best response is to comb through his code and fix it everywhere and to modify his style to account for it EVERY time consistently, so it won't happen to him again.