This question already has answers here:
Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
(19 answers)
How can I prevent SQL injection in PHP?
(27 answers)
SQL injection that gets around mysql_real_escape_string()
(4 answers)
Closed 4 years ago.
I was trying to look for mitigation of SQL Injection against my web application based on PHP and MySQL. The first rule is to sanitize the query; Hence I am using mysql_real_escape_string() function for that
Here is what my snippet looks like
if (is_string($string)) {
return $mysqli->real_escape_string($string);
} else {
return "";
}
Here, $string would contain the user-input. After this filtering and escaping, I would use INSERT INTO query to insert into database.
This filter, will thwart any malicious user inputs like haha' , inj'' etc as is_string() will detect those string and apply real_escape_string() to escape those evil characters. The only possibility I can think an attacker can do is use a Numeric payload for SQL Injection but I don't know any Numeric payload itself has caused Injection yet so far.
So, will this filter keep away the bad guys or is it bypassable ?
EDIT:
I know Prepared statements are much better and a good coding practice while launching app in production. But for this question, I am specifically looking answer to how anyone can thwart this filter itself because it does seem strong to me!
NO
is_string() will not protect against SQL injection, a numeric payload will not be able to cause any table damage or unwanted access regardless, and string sanitization does not protect against all SQL injection.
I should give you the spiel about why prepared statements are amazing and all that, but you yourself indicated that the point of the question was to point out flaws in sanitization
Why You Should Use Prepared Statements Over Sanitization
There are situations where you want unsanitized data in your database, e.g. specially formatted text (like LaTeX, XML, or JSON), where you would need to de-sanitize data, which is not a 100% guarantee of accuracy (e.g. XML file which includes HTML entities like " would be changed to ", changing the data)
Prepared statements can be re-bound and executed in very few lines
Theoretically, if you have a query like the one below, sanitization will not save you(borrowed from here)
$iId = mysql_real_escape_string("1 OR 1=1");
$sSql = "SELECT * FROM table WHERE id = $iId";
NO: PHP delusion #1: Mysql(i)_real_escape_string prevents SQL injection
This filter, will thwart any malicious user inputs like haha' , inj''
Your ideas are anything but a protection. There is nothing "malicious" in user inputs like haha' , inj'', neither a really malicious input would contain any of these characters.
That said, any user input is a string, so you will create a mockery of the notorious magic quotes feature, much despised and long removed from the language.
Go for the prepared statements.
Related
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?
I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.
Thanks in advance!
If you're using prepared statements, then you shouldn't have any issue with MySQL injection.
If an application exclusively uses prepared statements, the developer
can be sure that no SQL injection will occur (however, if other
portions of the query are being built up with unescaped input, SQL
injection is still possible).
You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection?
This is more of a philosophical point i'm trying to determine, out of curiosity.
I know that theoretically, any password or encryption is crackable.
But is it the same with SQL injection, where one just has to find the appropriate measures to deal with /bypass whatever security measures are implemented in the site? Or is injection something that can be definitively and with certainty defended against using a fixed set of security measures?
Im essentially wondering if it is possible to the input fields in my site unhackable through injection, or whether there will always be some vulnerability?
Being vulnerable to SQL injection is a bug. A well-built application will not contain such a bug, and no amount of effort will make such a bug appear.
SQL injection implies the data entered conforms to valid SQL (though typically injected in a creative way to produce undesired results).
To protect against it, you simply need to ensure that any user supplied data is encoded in a way that it cannot be misused.
As mentioned in a link above ( How can I prevent SQL injection in PHP? ), using prepared statements is a best practice to protect against SQL injection.
Sql injection is a technique used to hijack the security of website.
Sql injection occurs when data specified in input fields are not filtered for escape characters and passed into sql query for execution.
For testing sql injection please refer the following url.
http://sqlzoo.net/hack/
In above url try specifying "'" in field for name and specify "OR 1=1 #" in field for password
So the resultant query will be
SELECT * from user where name='' OR 1=1#' and password='';
In the above example you can notice that query is broken after specifying above data in input fields and any anonymous user can easily login into website.
There are several techniques to prevent sql injection.
(1) Input data must be filtered using mysql_real_escape_string while being passed into sql query for execution.
For more details about mysql_real_escape_string function please refer the documentation mentioned in below url.
http://php.net/manual/en/function.mysql-real-escape-string.php
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm starting to think about protecting my inputs from SQL injection. I've read about PDO and mysqli and will be using those techniques. While I was researching protection against SQL injection, I had a thought about a technique. Whenever I have an input from a user, I could scan the input string and search for occurrences of "'" or "DROP" and if the string contains those characters, then I could just not proceed. Would this technique prevent a lot of SQL injection?
Thanks for your help.
It is best to go with methods which have gone through rigorous testing before hand, and not try to implement your own.
A problem with your desired solution is, what happens when SQL add a new notation for dropping tables? Or what if they use 'truncate' instead? This is not foolproof.
Just use PDO or SQLi.
If used correctly and as intended, both will stop it; it'd be silly to use a measure like stopping the word DROP -- Imagine if someone types 'dropbox,' for example?
You should escape your input, and consider using prepared statements. This will remove nearly all SQL injection weaknesses. Scanning for specific words is a terrible practice, as it generally annoys legit users, and doesn't stop determined hackers.
Try to use only prepared statement. It one of the best technique ever.
http://php.net/manual/pt_BR/pdo.prepared-statements.php
The best way is to validate all user input against strict patterns to ensure no user data is abnormal, along with PDO prepared statements - this way you may also prevent XSS however it is usually beneficial to sanitize all user generated output as well just in case you didn't properly validate something and a user is able to execute malicious code.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
How to include a PHP variable inside a mysql insert statement
I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case?
i.e. in the PHP language you can get text from a password field of a website and pass it through the stripslashes statement to remove any (') so (' OR 1=1 --) becomes (OR 1=1). And makes SQL injections hard to do.
stripslashes removes slashes (\), which are escape characters, from data, not quotes ('). If anything, it's use will increase the likelihood of an SQL injection vulnerability existing.
To defend against SQL injection use prepared statements and parameterized queries.
stripslashes should not be used for password. Because it might be stripping slashes which users have input intentionally. To prevent sql injection escape according to the rdbms you are using. This will make sure you enter the exact same string user has inputted but escaped so sql injection will not occur.
For mysql use mysql_real_escape_string
Another better option is to use prepared statement. Its available in all the recent database drivers of PHP. The generic algorithm is
Prepare a statement. Usually by prepare function
Bind the values. usually by bind function.
execute the statement. Usually exec function.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I am working for a video streaming website for my college library. I am using PHP and MySql. I have not used any parameterized queries in this project.
Recently I came to know about SQL injections. Now that my code is almost done and I have to submit the project in the next two days, how can I now ensure that my code is not SQL injection prone?
Converting the whole thing in to a parameterized interface is what I can't do now. What should I do now to avoid SQL Injections on my website?
The basic idea to prevent SQL injections (if not using Prepared Statements) is to escape your data.
When you inject some expected integer value into an SQL query, make sure it's an integer, using intval().
When you have a decimal/numeric field in your table, use floatval().
And when you have a string (char, varchar, text) field in your table, use the function provided by your API to escape strings :
mysql_real_escape_string()
mysqli_real_escape_string()
PDO::quote()
I really recommend that you go back and do it right with parameterized queries. It is the only solid path towards security. It likely won't take too long to do this once you get started.
You should also know that websites are never "finished". When you launch a site, your work has just begun. Fixing security troubles as you learn about them is part of it, and this is no different.
You'll want to make sure any user provided inputs that get used in SQL queries are escaped using the PHP function mysql_real_escape_string and if you are letting people submit text to run htmlentities on the provided text so XXS isn't possible. If possible, white-list user provided input and discard anything else
This is just touching the surface of what you can do but look into query escaping and preventing cross site scripting.
Use PDO (or alternatively mysqli or some abstraction layer) and prepared statements.
Quick example:
$pdo = new PDO($dsn);
$stmt = $pdo->prepare("SELECT name FROM users WHERE id = ?");
$stmt->execute(array($unsafe_id));
$name = $stmt->fetchColumn();
In this example, $unsafe_id will be safe to use. To quote the manual page:
Calling PDO::prepare() and
PDOStatement::execute() for statements
that will be issued multiple times
with different parameter values
optimizes the performance of your
application by allowing the driver to
negotiate client and/or server side
caching of the query plan and meta
information, and helps to prevent SQL
injection attacks by eliminating the
need to manually quote the parameters.
PDO will emulate prepared
statements/bound parameters for
drivers that do not natively support
them, and can also rewrite named or
question mark style parameter markers
to something more appropriate, if the
driver supports one style but not the
other.