Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
The most common suggestion for protection against MySQL injection is prepared statements (either from PDO of mysqli). Say for whatever reason, I can't use prepared statemnets...how do I protect my data?
I would love to create a function like the following...
function cleanse($val) {
global $db;
$val = $db->real_escape_string($val);
return $val;
}
//Then I use it like
$sql = "select abc from dyf where z='".cleanse($_GET['id'])."'";
$db->query($sql); //etc...
But I'm not sure if that stops 1=1 attacks and attacks from strange foreign characters.
Is there a bullet proof way to make my cleanse function secure (no prepared functions!)?
Do I need to convert any string to utf-8?
If I wrap all column values in quotes and use mysqli's real_escape_string, am I ok?
Are there any other tricks that would make my cleanse function safe against injection?
I won't recommend it, but using mysql_real_escape_string can do the trick.
$sql = "select abc from dyf where z='".mysql_real_escape_string($_GET['id'])."'";
But if you can use PDO use it anyday, if you are limited this would be an oportunity. Only works in some versions of PHP.
http://php.net/manual/en/function.mysql-real-escape-string.php
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I would like to know how to make a php file safer in general. I actually use mysqli, which is unfortunately not the newest version anymore, I know. I mysqli_escape_str...() all strings entered in input fields, too. But do you have some tips regarding the safety. I also use some ajax, if you need to know that.
This is a huge subject and it depends what you're using at the moment but by the sounds of it I would suggest things like PDO instead of mysqli as this uses prepared statements. Its impossible for a SQL injection attack when using prepared statements properly. As for the AJAX you could ensure you are using CSRF tokens.
In general you can find a lot of the security risks here: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet and some ways to mitigate them.
When you deal with queries in database, you have to make sure that there's no sql injection. Now because you already know mysqli_escape_str, I will suggest you something better : use prepared queries.
Here's an example:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am learning php on my own and was wondering if I would susceptible to sql injections if I make the database name a $_GET even if the normal command goes through a PDO function?
ex.
$hostname_Database = "blocked";
$database_Database = $_GET['henryfor'];
$username_Database = "blocked";
$password_Database = "blocked";
$dbh = new PDO("mysql:host=$hotname_Database;dbname=$database_Database", $username_Database, $password_Database);
...
If you allow the database name to come from $_GET you are allowing the end user to choose the database name. Normally this is a very bad idea, but for specialized applications (e.g. phpMyAdmin) that might be acceptable.
Additionally, because you're adding the name into a string with other connection information, there is nothing stopping the user from putting a ";" in the name, and then providing values for other parameters in the connection string.
So this isn't exactly the same as a SQL injection attack, but is in the same general category.
Like Waleen Khan said, you probably want to filter the database name so that only a white list of acceptable values is allowed. If that's not an option, you want to read up on if the connection string supports some kind of escaping, and either escape special characters, to filter them out.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I learned the following method to sanitize data
function sanitize($data)
{
return mysql_real_escape_string( $data);
}
Then the deprecation of some extension within mysql is becoming abit frustrating for beginners that did not know about it, however it is a learning experience to know PHP properly. It is recommended to use mysqli_real_escape_string instead and since this function requires 2 parameters, I have the following
function sanitize($data){
// 1. Create a database connection
$db = new mysqli('localhost','root','somepass','secured_login');
if($db->connect_errno){
$connect_error = 'Sorry, we are experiencing connection problems.';
die ($connect_error);
}
return htmlentities(strip_tags(mysqli_real_escape_string($db, $data)));
}
However, I have been getting the sense that many PHP programmers highly recommend using PDO method instead
My apology for such a long intro my question is... Is it safe to use the modified function sanitize where mysqli_real_escape_string is used instead mysql_real_escape_string?
if not!! then by using PDO I would need to learn OOP PHP instead of procedural. I hope I framed this question correctly. Is mixing both programming orientations (procedural and OOP) frowned upon.
What is the real advantage of using PDO in the longer? Thank you!
IMHO you have to learn how to use PDO driver to prevent an Headache by reinventing the wheel.
With a OOP driver like PDO you can also do cool stuffs simply by extending the class overring some method and changin few lines of code.
You can also play with dependency-injected PDO derived Objects.
You can change the type of you database by editing the PDO::engine variable.
Plus you can easily prevent SQL iniections of 1st type
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
When should I use prepared statements? For any sort of query or just
specific kinds?
Should I be using prepared statements for SELECTING, or INSERTING, both, etc?
When should I not use them?
Thanks.
Prepared statements should be used for queries containing parameters. Otherwise, they are a waste of resources.
Example:
$pdo->query("SELECT * FROM `table`"); //No need for preparing here, no parameters.
However
$pdo->prepare("SELECT * FROM `table` WHERE `id` = :id"); //Prepare.
When should I use prepared statements? For any sort of query or just specific kinds?
For any sort preferably. Especially if you have a dedicated function or class for running queries. In such a case there should be just single method for running all the queries, no matter if they have dynamical parts or not.
Not to mention that all-static a query like "SELECT * FROM table" is a rare thing outside of sandbox.
Should I be using prepared statements for SELECTING, or INSERTING, both, etc?
Doesn't matter. The idea is to represent every dynamical value in the query with placeholder. the query type absolutely doesn't matter.
When should I not use them?
This question is quite similar to the first one. You would do yourself a mighty favor if use prepared statements all the way.
You should use prepared statements and parametrized queries whenever you are going to be using data that comes from anywhere outside of your program. That includes any interactions with the database, whether a INSERT, DELETE or UPDATE, or even a SELECT.
If you build SQL statements using data from the outside, you are in danger.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I don't understand, I transferred my files to new hosting and now I can get SQL injection, even if I use mysql_escape_string or addslashes. Before that, I never could get an SQL injection. What's wrong? Please help, I am going crazy.
edit: There is no SQL injection if I use ", but it gives SQL injection, if I use '. My head will explode really soon...
I thinks that mysql_real_escape_string is the function you want to use to protect your application from SQL injection....
Also make sure magic quotes are off...
It is very hard to craft code that escapes/sanitizes inputs to a point where they would be safe to submit directly to a SQL database. What you really should do to make use of Parameterized Queries in your code for all interactions with your database. This allows your database to determine what should be considered "command" and what should be considered "data" so that injected SQL into the "data" will still be seen at data.
Read more at OWASP's excellent discussion about this topic.
You may have had insecure code at the old host, and you just didn't know about it until you put the code at the new host, and people started attacking it there for whatever reason.