This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.
In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.
Whilst reading through the code I noticed many queries in the form of:
$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);
With no parameterisation or cleaning of input.
Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.
Yes it is,
But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php
So with your data it will be like :
$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
$prepare->execute();
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
most of the time I've been doing SQL like this:
$pdo = new PDO($dsn, $usr, $pass);
$qry = 'SELECT * FROM `my_table` WHERE `pk_id` = '. $id .';';
$res = $pdo->query($qry);
but recently I've seen a few posts showing that the only way to be safe is using prepared statements - this isn't an issue really for me, and this probably has an answer, just one I couldn't find from Googling around.
surely, if all of my statements, end in .';' using concat is ok?
Thanks,
No.
In SQL, it does not give an error if you supply two semi colons at the end of your query.
So if a user could pass along this:
1; DROP TABLE users;
it will have the same consequences, with or without the semi colon in your code added at the end.
The huge benefit of prepared statements is that no data is being altered. It just simply sends two queries.
Here is a a nice source which contains a lot of SQL injection examples.
This question already has answers here:
How to echo a MySQLi prepared statement?
(6 answers)
Closed 5 years ago.
Is there any function that will return the prepared query string after processing all the parameters. like
$stmt = $conn->prepare("SELECT full_name FROM user_info where user_id = ?");
$stmt->bind_param("s", $user_id);
Can I see the final query string that will execute?
If the driver is capable of using prepared statements, if it doesn't require emulation, then the final query executed is the prepared statement.
If you want to find out what was executed, you need to turn on the general query log on your server. That can be very, very noisy and fill up your disk quickly on a busy server.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
PDO prepared statement - what are colons in parameter names used for?
(6 answers)
PDO closing connection
(6 answers)
Closed 5 years ago.
I am using PDOs first time on my project and have some confusions in my mind and wanted to clarify:
Everyone recommends PDOs because it prevents from SQL injection so
Do we need to apply other functions before making query like strip_tags OR they aren't necessary with PDOs?
What is different betweeen :username and username?
Example:
$stmt = $db->prepare("SELECT id FROM USERS WHERE username=:username);
$stmt->bindParam(":username", $username);
$stmt->bindParam("username", $username);
Does this prevent from SQL injection? PDO::PARAM_STR which is used as third parameter in bindParam statement
Is it necessary to close connection by setting connection object to null in end? like
$db = null;
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I need to use a select query but my code keeps crashing because some of the names have apostrophes in it. I pull all data into a table and half way through it just stops because it hits a apostrophe.
My select Query:
$query = mysqli_query($dbh,"select * FROM show_invoice where id_show='$get_id' and status='UNPAID' and scratch = 'Unscratched'and show_deleted != 'Deleted' ORDER BY 'class_no' ASC")
There are 3 columns that will possibly contain apostrophes. Any advice on how i can stop it from crashing.
You can use mysqli_real_escape_string.
So just do
$get_id = mysqli_real_escape_string($dbh,$get_id);
before running your query.
Note: You should really use prepared statements instead of own queries because of risk of SQL injection attacks.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Is there a way to restrict php pdo execute() to run just the first sql statement?
For instance running
SELECT * FROM customer;DROP TABLE invoice
will return all customers but it will also delete the invoice table.
I have a situation where I need a whole SQL statement from a user but it must be a SELECT and nothing additional.
My example is just one of many that could be maliciously entered. It might include additional DROP, UPDATE, DELETE statements etc.
A prepared statement will simply replace ?s with values. It will not stop dangerous SQL statemets being passed to it.
This would not be a problem if there was a way to restrict php pdo execute() to run just the first sql statement?
IF your trying to prevent SQL injection, prepare statements can handle it.
you can use something like this to prevent SQL injection
$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->bindValue(1, $id, PDO::PARAM_INT);
$stmt->bindValue(2, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);