Welcome To Web-Talks.com
The Webmaster Forum

Sarunas · 05-17-2008, 04:00 PM

It has recently been discovered that date and numeric field types under SQL *may* be prone to a particular type of injection attack.

Up till now, normally we correctly escaped all string fields, however it may be that more stringent checking will be required on the standard date and numeric field types. This will mean correct range checking and date validation however you should all being done this anyway.

It's not clear as to exactly which SQL databases are affected by this issue, however the advice is check everything, twice, then do it again just to make sure.

I recommend using a time stamp in an integer field. It might not be as fast as using a date field, and the value stored won't be "human readable" but it's super simple to ensure there is absolutely no possibility of injections.

Again, this is my personal recommendation coming from a person who is largely self taught, and has no specific credentials given by MySQL in the form of diplomas, degrees, or anything like that, but has studied hard and learned a lot.

Something like;

Code:

$time = mysql_query('select unix_timestamp()');
list($time1) = mysql_fetch_array($time);

echo dayz($time1) . "<hr>" . dayz(time());

dayz() is a custom function that uses the date() function to return a formated time.

The web server is in new zealand time, and the php code has a time zone set to USA eastern time.

Both times came out the same. Considering the test, I dun see any problem using the mysql unix_timestamp() function vs inserting a php generated time()

Swastik · 05-21-2008, 01:19 PM

Nice post.
Thanks

++ reps.

05-17-2008, 04:00 PM	#1
Sarunas New Member Join Date: May 2008 Posts: 14 Credits: 1	Security Alert It has recently been discovered that date and numeric field types under SQL may be prone to a particular type of injection attack. Up till now, normally we correctly escaped all string fields, however it may be that more stringent checking will be required on the standard date and numeric field types. This will mean correct range checking and date validation however you should all being done this anyway. It's not clear as to exactly which SQL databases are affected by this issue, however the advice is check everything, twice, then do it again just to make sure. I recommend using a time stamp in an integer field. It might not be as fast as using a date field, and the value stored won't be "human readable" but it's super simple to ensure there is absolutely no possibility of injections. Again, this is my personal recommendation coming from a person who is largely self taught, and has no specific credentials given by MySQL in the form of diplomas, degrees, or anything like that, but has studied hard and learned a lot. Something like; Code: $time = mysql_query('select unix_timestamp()'); list($time1) = mysql_fetch_array($time); echo dayz($time1) . "<hr>" . dayz(time()); dayz() is a custom function that uses the date() function to return a formated time. The web server is in new zealand time, and the php code has a time zone set to USA eastern time. Both times came out the same. Considering the test, I dun see any problem using the mysql unix_timestamp() function vs inserting a php generated time()

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Review my security forum	joshchan214	Website Reviews	9	04-19-2008 04:26 PM

05-21-2008, 01:19 PM	#2
Swastik Counting 10,000 :D Join Date: Mar 2008 Location: India Posts: 494 Credits: 0	Nice post. Thanks ++ reps.

Welcome To Web-Talks.com The Webmaster Forum

Welcome To Web-Talks.com
The Webmaster Forum