SQL Injection Defenses

Errata for SQL Injection Defenses

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted By Date Submitted Date Corrected
Page 5.1.4
Just before 5.1.5 begins

It says "you may need to find or write your own input filtering function, or at least use the addslashes() function as a last resort." This is no longer a good last resort, since the discovery of Unicode-based SQL injection vulnerabilities that use Unicode encodings of (e.g.) apostrophes. Also, not all databases accept backslash as an escape of single quotes. The database-specific quoting mechanism (e.g., pg_escape_string for PostgreSQL) must be used. Writing your own input filtering function should be discouraged for the same reason.

Note from the Author or Editor:
At the time of writing (early 2007), addslashes() was viewed as sufficient protection, according to industry guidance from Chris Shiflett (Essential PHP Security), and OWASP. I agree that it does not provide protection from encoded attacks, so reinforce my guidance in the earlier part of that section: Use PDO, which is available in PHP 5. Thanks, -Martin