This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
a little new to MySQL but, if I create a Page using HTML, CSS & JS do i need to use prepeard statements to prevent SQL Injections?
Or only if i use text iput?
Maybe me using text-input doesn't matter as user can edit files during use with browser-inspection tools to add one anyway.
If I use PHP instead of HTML for includes is it more easy to inject Code?
Lets say I set up a site using Siteground, where do i find the files I need to edit to prevent this, PHP or MySQL?
Or do I only need to worry about this if I write some custom PHP/MySQL code which handles incoming data to the database?
Or am I asking the wrong question?
Thanks!
-A
SQL injection is an attack type which consists of a user writing malicious code as user input and then posting it to the server. If the db server executes such a code, then bad things will happen.
To prevent executing malicious SQL provided in user input is equivalent of escaping dynamic parameters of queries. This can be done either by PDO or mysqli_real_escape_string.
So, to make sure you have no possibility for SQL injection, just check all the places where direct MySQL commands are executed and make sure the parameters are escaped.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I was wondering if I'm safe from SQL injection if I have this in a script:
< script>
//some stuff
var item = <?php echo json_oncode($PHPVAR) ?>
item.replace(/"/,'"').replace(/'/,''');
//do more script stuff with item
< /script>
currently using Laravel (PHP), with PDO
Are there anything else that I should be aware of/look out for?
(I didn't whitelist/blacklist before submitting to database b/c PDO does that for me from what I understand)
Also I'm asking b/c item is taken from a user input and it dynamically creates HTML using the value of item
The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided.
Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily lies on how the Web Application handles user input.
Your question should be, "How does this piece of user input interact with my application?" -- ofcourse there isn't a set list of things to do in order to keep yourself protected from (B)SQLi (or other variants of Injection [XSS/LDAP]).
The following are some good resources that will help you out further with regards to SQL Injection on a whole (you need to know how the vulnerability works in general if you want to be able to cover something specific).
OWASP SQL Injection
Acunetix SQL Injection
SQL Injection Cheat Sheet
There isn't much more to specifically answer your question except maybe go deeper into how to handle user input with regards to the code you have provided (which we may but I don't think is required).
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Little background.
I'm making a forum with an account system.
So naturally they have to insert data to the database whilist speaking in the forums.
What is the safest way to let the user input data in an textarea?
Is there away so they can't just type in DROP TABLE 'USERS', or something else that might effect my forum?
Now I know there is some solutions to this, but how can I do this so that they're able to make their text look nice (<h1>,<img>) etc, but not do a proper SQL query?
Kinda like this page is made, I can type here with all sorts of looks but I cannot do anything to harm the page.
Thanks.
-Kevin
Either mysqli_real_escape_string or Prepared statements for SQL injection
To keep the HTML injection, just dont do anything. Queries are already vulnerable to HTML injection.
In your case you might just want to use an editor for your forum posts, like: TinyMCE
You need to do (at least) two things:
Your database user should have only required grants on given table - so GRANT INSERT on yourtable TO youruser instead of GRANT ALL on yourtable TO youruser
Make yourself sql injection safe - by using prepared statements in your php code
This question already has answers here:
Should I escape an expected integer value using mysql_real_escape_string or can I just use (int)$expectedinteger
(2 answers)
Closed 9 years ago.
I have a PHP script that depending on the value of an id in a GET variable will retrieve different data from a mysql database. The value of the id should be a number at all times. Instead of changing my current mysql query to use PDO, would running isnumeric on the Get variable and exiting the script if it is not a number be sufficient to protect against injection in all or most cases, ie, would it still be possible for some injection sql to slip through isnumeric?
Just a humble comment on the duplicate question issue, I looked at the suggested duplicate question and think that as a beginner it might not be clear on its face that my question is an exact duplicate of that one.
Yes, it would protect in this case. No, it would be a really, really bad idea unless you absolutely know what you're doing and document the choice properly in comments.
There are 2 strategies towards any kind of security:
Denial. Choose the lazy approach that works for the situation at hand instead of fundamentally fixing it. Now wait for the day you forgot this was your 'security', and you change the code and it becomes vulnerable all of a sudden, and kiddie porn is uploaded to your site.
Professionalism. Fix the problem thoroughly, validate the inputs and protect your database layer properly, by either escaping or using prepared statements.
Choose professionalism and thank me a year from now.
Seems like this question has already been answered. And yes, the isNumeric trick essentially would only allow sanitized inputs, thus shielding your application from SQL injection.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?
I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.
Thanks in advance!
If you're using prepared statements, then you shouldn't have any issue with MySQL injection.
If an application exclusively uses prepared statements, the developer
can be sure that no SQL injection will occur (however, if other
portions of the query are being built up with unescaped input, SQL
injection is still possible).
You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page