This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I have a query like this:
update T_table set detail = 'XXXX' where num = 155;
which on my php file looks like this:
$sql = "update T_table set ".$_GET['field']." = '".$_GET['value']."' where num = ".$_GET['num'];
$output = mysql_query($sql);
I would like to know if it is possible to inject SQL where the XXXX are in the query. Because they will be replaced by a sting from $_GET, and if it is possible how would you do?
Important: My MYSQL database is not allowing double pipes (||) as a concatenation operator.
you should use PDO's prepared statements
$query = $db->prepare("update T_table set detail = :detail where num = :num;");
$query->bindParam(":detail", $_GET['detail']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
if you need multiple fields this gets a little more complicated as the user's input can't really be trusted with arbitrary fields:
$allowedFields = ["detail", "cost", "name"];
$field = $_GET['field'];
if(in_array($field, $allowedFields) {
$query = $db->prepare("update T_table set $field = :value where num = :num;");
$query->bindParam(":value", $_GET['value']);
$query->bindParam(":num", $_GET['num']);
$query->execute();
}
Related
This question already has an answer here:
Write a prepared statement with nullable values in conditions
(1 answer)
Closed 2 years ago.
I have a quite long mysql query, selecting data according to status field. I'm calling it for different statuses and it works well, but I have a scenario when I should get all records where status is null ONLY. Is there a way to do this without having to write 2 different sql queries?
Looks like I can't insert 'IS NULL' or '=' without it being rendered as a string.
I want to achieve this:
$sql = "SELECT name, surname FROM ...
...
WHERE status ?;";
$stmt = $pdo->prepare($sql);
$stmt->execute(array($status === 'undefined' ? 'IS NULL' : " = '$status'"));
After all, here's what I did:
$sql = "SELECT name, surname FROM ...
...
WHERE status <=> ?;";
$stmt = $pdo->prepare($sql);
$stmt->execute(array($status === 'unfinished' ? null : $status));
Using parameterised queries, as indicated, is a safer way of introducing user input into your SQL statements. However, it has the effect of treating all input as a parameter, and therefore will surroung any string literals with quotes - giving rise to the problem you have.
To deal with this issue, why not just modify the logic of the code:
$sql = "SELECT name, surname FROM ...
...
WHERE status";
if ($status === 'undefined') {
$sql .= " IS NULL";
$stmt = $pdo->prepare($sql);
$stmt->execute();
} else {
$sql .= " = ?"
$stmt = $pdo->prepare($sql);
$stmt->execute(array($status));
}
Edit
Updated to move the execution into the relevant part of the if statement becuase the parameters must not be specified if there is no placeholder in the SQL statement.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I just want to check how safe (if at all) my PHP-MYSQL queries are, I'm using user data which is coming through $_POST and then validating - the validation process of all data includes using mysqli_real_escape_string() on the string and trim(). The nature of some of my inputs however means that I don't restrict any characters on user input. Is what I'm doing safe and if not how could it be improved.
An example of an insert query (where $name and $description are $_POST data values which have been through a validation function.)
$sql = "INSERT INTO company(company_name, company_description) VALUES('".$name."', '".$description."')";
$result = mysqli_query($con, $sql);
An example of a select query (where $companyid is user input, real_escaped and stripped)
$sql = "SELECT * FROM events WHERE event_company=".$companyid."";
$result = mysqli_query($con, $sql);
Thanks in advance.
Here are your queries updated to use mysqli prepared statements.
$sql = "INSERT INTO `company` (`company_name`, `company_description`) VALUES(?, ?)";
$stmt = $con->prepare($sql);
$stmt->bind_param('ss',$name,$description); // ss is for string string
$stmt->execute();
$result = $stmt->get_result();
and
$sql = "SELECT * FROM `events` WHERE `event_company` = ?";
$stmt = $con->prepare($sql);
$stmt->bind_param('i',$companyid); // i indicates integer
$stmt->execute();
$result = $stmt->get_result();
There a type of hack called "SQL INJECTION" which can deceive your control. Read there for more information https://www.veracode.com/security/sql-injection
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Binding multiple values in pdo
(3 answers)
Closed 6 years ago.
I have prepared a series of queries which work. Now I am in the process of securing these queries against injection. I can do it fine when I have one variable in the query but have not been able to find how to do it for more with trial and error.
This is what I am doing (See $sql and $handle->execute()):
<?php
$sql = "SELECT FORMAT (z.PriceMultiplier * p.BasicTicketPrice,2)
AS totalPrice
FROM Zone z JOIN Production p
WHERE p.Title = :n AND z.Name = :n";
$handle = $conn->prepare($sql);
$zone = "$_POST[Zone]";
$prod = "$_POST[Production]";
$handle->execute(array(":n"=> $zone, $prod))
$conn = null;
$res = $handle->fetchAll();
foreach($res as $row) {
echo "<input name='Price' type='text' readonly='readonly' value=£".$row['totalPrice']."><br>";
}
?>
How do I assign the variables $zone and $prod to the statement in handle->execute()?
Thank you in advance.
[edit1: SOLUTION: Use ? instead of :n p.Title = ? AND z.Name = ? and just do $handle->execute(array($zone, $prod))]
[edit2: I do not believe this is a duplicate - the question is not how to prevent an injection attack... it is how to deal with multiple variables in doing so.]
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example
$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");
Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?
You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:
$allowedTables = array('posts', 'users');
if(!in_array($tablename, $allowedTables)){
throw new Exception('Invalid table name: ' . $tablename);
}
$keyword = 'something';
$stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword");
$stmt->bindParam(':keyword', $keyword);
$stmt->execute();
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?
if($_POST['ourstory']) {
foreach($_POST['ourstory'] as $id => $ourstory) {
$sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
$q = $db->prepare($sql);
$q->execute(array($id,$ourstory));
}
}
That's not how you use prepared statements. You want to use a ? in your query.
$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));