This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
most of the time I've been doing SQL like this:
$pdo = new PDO($dsn, $usr, $pass);
$qry = 'SELECT * FROM `my_table` WHERE `pk_id` = '. $id .';';
$res = $pdo->query($qry);
but recently I've seen a few posts showing that the only way to be safe is using prepared statements - this isn't an issue really for me, and this probably has an answer, just one I couldn't find from Googling around.
surely, if all of my statements, end in .';' using concat is ok?
Thanks,
No.
In SQL, it does not give an error if you supply two semi colons at the end of your query.
So if a user could pass along this:
1; DROP TABLE users;
it will have the same consequences, with or without the semi colon in your code added at the end.
The huge benefit of prepared statements is that no data is being altered. It just simply sends two queries.
Here is a a nice source which contains a lot of SQL injection examples.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I need to use a select query but my code keeps crashing because some of the names have apostrophes in it. I pull all data into a table and half way through it just stops because it hits a apostrophe.
My select Query:
$query = mysqli_query($dbh,"select * FROM show_invoice where id_show='$get_id' and status='UNPAID' and scratch = 'Unscratched'and show_deleted != 'Deleted' ORDER BY 'class_no' ASC")
There are 3 columns that will possibly contain apostrophes. Any advice on how i can stop it from crashing.
You can use mysqli_real_escape_string.
So just do
$get_id = mysqli_real_escape_string($dbh,$get_id);
before running your query.
Note: You should really use prepared statements instead of own queries because of risk of SQL injection attacks.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I have a situation where I'd like to add a list of names in an array and use it in an SQL query.
How I do it:
$names = implode(',', $names);
$sql = "DELETE FROM product WHERE name NOT IN ($names)";
This works ok if I use id (but I can't do that here). Problem is - name can have a comma in it (i.e. - benchpress rack, blue) and that breaks this query. Is there a way to bypass this issue?
Try this:
$names = implode("','", $names);
$sql = "DELETE FROM product WHERE name NOT IN ('$names')";
If this is your actual code I would suggest switching to PDO, use a library, or escape your values with mysqli_real_escape_string.
Here is a link: http://php.net/manual/en/mysqli.real-escape-string.php
Here is a w3schools link for prepared statements, a decent high level view of how they work: http://www.w3schools.com/php/php_mysql_prepared_statements.asp
Here is how your statement query will run if your using PDO:
$query= $conn->prepare("DELETE FROM product WHERE name NOT IN (:names)");
$query->bindParam(':names', $names);
$query->execute();
And for mysqli it will be similar, refer to the w3schools link above for the differences.
I highly recommend you move away from the old mysql driver and at the very least switch to mysqli.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I read so much about types to prevent sql injections. I probably don't want to use prepared statements if there is another way to prevent them by 100% of the cases.
Currently I'm sticking to this:
$safe_var = mysql_real_escape_string ( $unsafe_var);
mysql_set_charset("utf8");
$sql = "REPLACE `news` (`id`, `author`, `title`, `text`, `time`)" . "VALUES ('".$id."', '$author', '$title', '$text', UNIX_TIMESTAMP());";
mysql_query ( $sql );
For this example all the variables in the sql statement are constructed as the safe_var at the start. I see many opinions on what is save in sql and what not so I don't know what is right.
My question is, is this 100% save and is it save to use this way in every possible sql statement, by using mysql_real_escape_string and putting the variables in single quotes as I did in the statement?
Thanks in advance for help!
PS: I know there are many question likes this but everyone keeps saying diffrent stuff and I still not found anyone that says that my way is safe from sql injections in every possible statement.
At the least you would want to convert to mysqli rather than mysql. You would want to also further test the user input as much as possible to ensure it is legitimate.
Highly recommend pdo and prepared statements
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Ok so i have this kind of query
SELECT * FROM table WHERE column LIKE 'Blahblahblah Blah - Blah (Blah-Blah)'
(Yep, column values are 20-30 characters long)
And it works in phpmyadmin and returns ~ 100 results.
But whn i try it in PHP framework CI (CodeIgniter)
It is not returning any values.
My code looks like:
$sql = "SELECT * FROM table WHERE column LIKE '$val' ORDER BY column ASC";
$sql = $this->db->query($sql);
return $sql->result();
So how do i get this to work?
Before you try to make it work, you really, really need to change the way you're constructing the query. You should use a prepared statement where you introduce variables, and then bind them to values.
The way you've written it is horribly vulnerable to SQL injection attacks. (Suppose $val contained '; DROP DATABASE blah; .... What would the whole SQL statement now look like?) If you try to solve the problem in its current form, you'll end up with something that works but will be very dangerous. Make it safe first with a prepared statement.
Details in this linked question.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Are dynamic mysql queries with sql escaping just as secure as prepared statements?
Is using only mysqli_real_escape_string enough to secure a query? Or is there more to consider when trying to securely query a database?
If used everywhere correctly real_escape_string is an option. But consider the following code:
$page = $_GET['page'];
$sql = 'SELECT `name` FROM `user` WHERE `id` = ' . mysqli_real_escape_string($page);
Safe or not? real_escape_string can only be used to escape strings inside quotation marks. $page could be 1 OR id IN (2,3,4,5,6,7,8,9) → no quotation marks, no real escaping. Casting to the correct datatype (int) might help in this case. You're better off using prepared statements, they are not as easily to mis-use.