Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I would like to know how to make a php file safer in general. I actually use mysqli, which is unfortunately not the newest version anymore, I know. I mysqli_escape_str...() all strings entered in input fields, too. But do you have some tips regarding the safety. I also use some ajax, if you need to know that.
This is a huge subject and it depends what you're using at the moment but by the sounds of it I would suggest things like PDO instead of mysqli as this uses prepared statements. Its impossible for a SQL injection attack when using prepared statements properly. As for the AJAX you could ensure you are using CSRF tokens.
In general you can find a lot of the security risks here: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet and some ways to mitigate them.
When you deal with queries in database, you have to make sure that there's no sql injection. Now because you already know mysqli_escape_str, I will suggest you something better : use prepared queries.
Here's an example:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
foreach($array as $values){
$MySQL_string = "
UPDATE `MyGuests` SET `firstname` ='".$values['name]."' WHERE `id` ='".$values['user]."';
";
$DB->mysqli->query($MySQL_string);
}
Are there any downfalls to performing multiple PHP MySQL queries in a for loop?
It's perfectly fine to run SQL queries in a loop in PHP as long as you know what you're doing.
If you loop queries all over the place and/or on most page-loads, or on a scale large enough to hinder your server's performance, you should look into refactoring your code/application logic and find more performance-friendly options. This is unlikely to be the case with INSERT and UPDATE queries. If you're running lots of SELECT statements in a loop, however, you're probably doing something wrong.
You could avoid a loop by using mysqli_multi_query(). However it'll make debugging individual queries more difficult. Also it won't allow you to use prepared statements (a very good idea for both performance and security reasons). There's nothing inherently evil about loops. Don't worry too much about (premature) optimization for operations that aren't the churning core of your application.
Depending on your interpretation, it might be correct to run multiple queries in a loop. However, for optimal performance, it is best to reduce the queries to a minimal number of queries.
One way this can be done with your example is to use a CASE statement. See this article for more information, and the example below, based on your sample code.
Also, while this isn't codereview.stackexchange.com, it is recommended that you prepare statements and bind parameters instead of placing values inline, so as to avoid the possibility of a SQL injection attack. See this answer where parameters are bound for the INSERT statement.
$cases = array();
$whereConditions = array();
foreach($array as $values){
$cases[] = 'WHEN `id` = '.$values['user'].' THEN \''.$values['name'].'\'';
$whereConditions[] = '`id` = \''.$values['user'].'\'';
}
$MySQL_string = "UPDATE `MyGuests` SET `firstname` = CASE ".implode(' ',$cases)." END WHERE ".implode(' OR ',$whereConditions);
$DB->mysqli->query($MySQL_string);
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
The most common suggestion for protection against MySQL injection is prepared statements (either from PDO of mysqli). Say for whatever reason, I can't use prepared statemnets...how do I protect my data?
I would love to create a function like the following...
function cleanse($val) {
global $db;
$val = $db->real_escape_string($val);
return $val;
}
//Then I use it like
$sql = "select abc from dyf where z='".cleanse($_GET['id'])."'";
$db->query($sql); //etc...
But I'm not sure if that stops 1=1 attacks and attacks from strange foreign characters.
Is there a bullet proof way to make my cleanse function secure (no prepared functions!)?
Do I need to convert any string to utf-8?
If I wrap all column values in quotes and use mysqli's real_escape_string, am I ok?
Are there any other tricks that would make my cleanse function safe against injection?
I won't recommend it, but using mysql_real_escape_string can do the trick.
$sql = "select abc from dyf where z='".mysql_real_escape_string($_GET['id'])."'";
But if you can use PDO use it anyday, if you are limited this would be an oportunity. Only works in some versions of PHP.
http://php.net/manual/en/function.mysql-real-escape-string.php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am learning php on my own and was wondering if I would susceptible to sql injections if I make the database name a $_GET even if the normal command goes through a PDO function?
ex.
$hostname_Database = "blocked";
$database_Database = $_GET['henryfor'];
$username_Database = "blocked";
$password_Database = "blocked";
$dbh = new PDO("mysql:host=$hotname_Database;dbname=$database_Database", $username_Database, $password_Database);
...
If you allow the database name to come from $_GET you are allowing the end user to choose the database name. Normally this is a very bad idea, but for specialized applications (e.g. phpMyAdmin) that might be acceptable.
Additionally, because you're adding the name into a string with other connection information, there is nothing stopping the user from putting a ";" in the name, and then providing values for other parameters in the connection string.
So this isn't exactly the same as a SQL injection attack, but is in the same general category.
Like Waleen Khan said, you probably want to filter the database name so that only a white list of acceptable values is allowed. If that's not an option, you want to read up on if the connection string supports some kind of escaping, and either escape special characters, to filter them out.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
When should I use prepared statements? For any sort of query or just
specific kinds?
Should I be using prepared statements for SELECTING, or INSERTING, both, etc?
When should I not use them?
Thanks.
Prepared statements should be used for queries containing parameters. Otherwise, they are a waste of resources.
Example:
$pdo->query("SELECT * FROM `table`"); //No need for preparing here, no parameters.
However
$pdo->prepare("SELECT * FROM `table` WHERE `id` = :id"); //Prepare.
When should I use prepared statements? For any sort of query or just specific kinds?
For any sort preferably. Especially if you have a dedicated function or class for running queries. In such a case there should be just single method for running all the queries, no matter if they have dynamical parts or not.
Not to mention that all-static a query like "SELECT * FROM table" is a rare thing outside of sandbox.
Should I be using prepared statements for SELECTING, or INSERTING, both, etc?
Doesn't matter. The idea is to represent every dynamical value in the query with placeholder. the query type absolutely doesn't matter.
When should I not use them?
This question is quite similar to the first one. You would do yourself a mighty favor if use prepared statements all the way.
You should use prepared statements and parametrized queries whenever you are going to be using data that comes from anywhere outside of your program. That includes any interactions with the database, whether a INSERT, DELETE or UPDATE, or even a SELECT.
If you build SQL statements using data from the outside, you are in danger.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I've just completed my first prepared statement, converted to using them for security reasons. I've tested it and it works however I am looking for feedback (constructive criticism welcomed) regarding the code itself although I understand it 's fairly basic. Also, I have a few queries:
Am I correct in saying you do not require using mysqli_escape_string if you use prepared statements?
Will using the mysqli_stmt_get_result function cut down on the amount of writing I have to do and be as effective?
Is using mysqli_stmt_close necessary? Am I correct saying that without using this function I will not be able to create another prepared statement within that script?
Here is my code:
<?php
//prepared statement example
include 'database.php';
$query = "SELECT ID FROM users WHERE email = ?";
$email = 'myemail#gmail.com';
$statement = mysqli_stmt_init($connect);
mysqli_stmt_prepare($statement, $query);
mysqli_stmt_bind_param($statement, 's', $email);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $id);
mysqli_stmt_fetch($statement);
echo $id;
?>
Am I correct in saying you do not require using mysqli_escape_string if you use prepared statements?
Yes. It's bad sign you're asking it - means you don't clearly understand how does all that mess works.
Will using the mysqli_stmt_get_result function cut down on the amount of writing I have to do and be as effective?
Yes. But here are bad news: is is not always supported. So, on some installations it won't work.
Is using mysqli_stmt_close necessary? Am I correct saying that without using this function I will not be able to create another prepared statement within that script?
Why, no.
You can simply recreate another prepared statement into this variable.
BTW, it'd strongly recommentd to use PDO over mysqli. It's way more consistent and user-friendly.
Just try to bind an array for use in IN() operator and see.
After all, it takes 2 times less code:
$stm = $pdo->prepare($query);
$stm->execute(array($email));
$id = $stm->fetchColumn();