This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I have a situation where I'd like to add a list of names in an array and use it in an SQL query.
How I do it:
$names = implode(',', $names);
$sql = "DELETE FROM product WHERE name NOT IN ($names)";
This works ok if I use id (but I can't do that here). Problem is - name can have a comma in it (i.e. - benchpress rack, blue) and that breaks this query. Is there a way to bypass this issue?
Try this:
$names = implode("','", $names);
$sql = "DELETE FROM product WHERE name NOT IN ('$names')";
If this is your actual code I would suggest switching to PDO, use a library, or escape your values with mysqli_real_escape_string.
Here is a link: http://php.net/manual/en/mysqli.real-escape-string.php
Here is a w3schools link for prepared statements, a decent high level view of how they work: http://www.w3schools.com/php/php_mysql_prepared_statements.asp
Here is how your statement query will run if your using PDO:
$query= $conn->prepare("DELETE FROM product WHERE name NOT IN (:names)");
$query->bindParam(':names', $names);
$query->execute();
And for mysqli it will be similar, refer to the w3schools link above for the differences.
I highly recommend you move away from the old mysql driver and at the very least switch to mysqli.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 5 days ago.
I am creating a website using PHP PDO oops concept. For like - I want to count columns for different columns. I have created a function in a class. I follow all steps to secure data (SQL injection).
My function -
public function count_by_id($table,$col,$val)
{
$table=$this->sanitize($table,'string');
$col=$this->sanitize($col,'string');
$val=$this->sanitize($val,'string');
$sql= "SELECT count(*) FROM $table WHERE $col=:val";
$stmt = $this->dbConnection->prepare($sql);
$stmt->bindParam(':val', $val, PDO::PARAM_STR);
$stmt->execute();
$number_of_rows = $stmt->fetchColumn();
return $number_of_rows;
}
$table is a static variable that will not change any value. I use it only for table name and also the same for column name. The table and col values will not be changed by the end user. The end user will change only $val value and I have bound that value using a prepared statement.
Like - Calling a function -
count_by_id('users','username',$username);
The users and username will not change but $username will change and I have bound it. Is there any reason for SQL injection or not? I am not getting the table name and column name from the form.
I can use it for different table and column like this-
count_by_id('posts','slug',$slug);
I am totally confused because many programmers are doing like me and many say this may be the reason for SQL injection.
What is your view on that ?
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
most of the time I've been doing SQL like this:
$pdo = new PDO($dsn, $usr, $pass);
$qry = 'SELECT * FROM `my_table` WHERE `pk_id` = '. $id .';';
$res = $pdo->query($qry);
but recently I've seen a few posts showing that the only way to be safe is using prepared statements - this isn't an issue really for me, and this probably has an answer, just one I couldn't find from Googling around.
surely, if all of my statements, end in .';' using concat is ok?
Thanks,
No.
In SQL, it does not give an error if you supply two semi colons at the end of your query.
So if a user could pass along this:
1; DROP TABLE users;
it will have the same consequences, with or without the semi colon in your code added at the end.
The huge benefit of prepared statements is that no data is being altered. It just simply sends two queries.
Here is a a nice source which contains a lot of SQL injection examples.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Ok so i have this kind of query
SELECT * FROM table WHERE column LIKE 'Blahblahblah Blah - Blah (Blah-Blah)'
(Yep, column values are 20-30 characters long)
And it works in phpmyadmin and returns ~ 100 results.
But whn i try it in PHP framework CI (CodeIgniter)
It is not returning any values.
My code looks like:
$sql = "SELECT * FROM table WHERE column LIKE '$val' ORDER BY column ASC";
$sql = $this->db->query($sql);
return $sql->result();
So how do i get this to work?
Before you try to make it work, you really, really need to change the way you're constructing the query. You should use a prepared statement where you introduce variables, and then bind them to values.
The way you've written it is horribly vulnerable to SQL injection attacks. (Suppose $val contained '; DROP DATABASE blah; .... What would the whole SQL statement now look like?) If you try to solve the problem in its current form, you'll end up with something that works but will be very dangerous. Make it safe first with a prepared statement.
Details in this linked question.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
MySQL INSERT from a SELECT with PDO
I've historically used the mysql_* style of connecting to mysql via php and am finally making the trek over to PDO. In the past I've like to use mysql's INSERT INTO... SELECT... to insert data. The benefit being that I could add columns to a table at a later time without completely hosing all other forms that interact with that table. My question is quite simply. . . is there a PDO equivalent to this?
I'm not having much luck using the old syntax in a prepared statement nor do I see any examples using this format. Any thoughts or suggestions would be much appreciated.
The queries don't change. You can use things like:
$postUser = $_POST["user_name"];
$stmt = $dbh->prepare("SELECT * FROM user WHERE userName = :postUser");
$stmt->bindParam(':postUser', $postUser);
$stmt->execute();
To INSERT:
$sql = "INSERT INTO table (whatever) VALUES (:whatever)";
$q = $conn->prepare($sql);
$q->execute(array(':whatever'=>'whatever'));
And to SELECT:
$sql = "SELECT whatever FROM table WHERE whatever = :whatever";
$q = $conn->prepare($sql);
$q->execute(array(':whatever'=>'whatever'));
$row = $q->fetch();
For more information on prepared statements go here.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
PDO Prepared Statements
I'm using the mysqli extension in PHP and I'm wondering, is there possibly any way to see a prepared query as it will be executed on the server, e.g. The query is something like this
select * from table1 where id = ? and name = ?
but I want to see the query after the values are filled in, like this:
select * from table1 where id = 20 and name = "John"
Turn on mysql query logging and it will log all queries to a text file for you to review.
Duplicate of PDO Prepared Statements
Short answer: no. A prepared query will never be converted to the query you expect. It's executed directly by the database server. You can use mysql's query log or PDO's undocumented function debugDumpParams, but both are just approximations.
See it where?
If it's your code you have the query and you have the prepared parameters, log them separately or replace in the original query string.
If the binding will fail you will get an error, otherwise you should expect the same values to be "filled" in as you specified them.
Its the way most of the times I am debugging mysql quires:
$q = "select * from table1 where id = ".$id." and name = ".$name;
echo $q;
The output generates all variables assigned to the query.
Hope I understood you exactly, what you wanted.