This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I read so much about types to prevent sql injections. I probably don't want to use prepared statements if there is another way to prevent them by 100% of the cases.
Currently I'm sticking to this:
$safe_var = mysql_real_escape_string ( $unsafe_var);
mysql_set_charset("utf8");
$sql = "REPLACE `news` (`id`, `author`, `title`, `text`, `time`)" . "VALUES ('".$id."', '$author', '$title', '$text', UNIX_TIMESTAMP());";
mysql_query ( $sql );
For this example all the variables in the sql statement are constructed as the safe_var at the start. I see many opinions on what is save in sql and what not so I don't know what is right.
My question is, is this 100% save and is it save to use this way in every possible sql statement, by using mysql_real_escape_string and putting the variables in single quotes as I did in the statement?
Thanks in advance for help!
PS: I know there are many question likes this but everyone keeps saying diffrent stuff and I still not found anyone that says that my way is safe from sql injections in every possible statement.
At the least you would want to convert to mysqli rather than mysql. You would want to also further test the user input as much as possible to ensure it is legitimate.
Highly recommend pdo and prepared statements
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
most of the time I've been doing SQL like this:
$pdo = new PDO($dsn, $usr, $pass);
$qry = 'SELECT * FROM `my_table` WHERE `pk_id` = '. $id .';';
$res = $pdo->query($qry);
but recently I've seen a few posts showing that the only way to be safe is using prepared statements - this isn't an issue really for me, and this probably has an answer, just one I couldn't find from Googling around.
surely, if all of my statements, end in .';' using concat is ok?
Thanks,
No.
In SQL, it does not give an error if you supply two semi colons at the end of your query.
So if a user could pass along this:
1; DROP TABLE users;
it will have the same consequences, with or without the semi colon in your code added at the end.
The huge benefit of prepared statements is that no data is being altered. It just simply sends two queries.
Here is a a nice source which contains a lot of SQL injection examples.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
What can be done to prevent this from happening?
The absolute minimum you need to do here is escape that variable:
$unsafe_variable = mysql_real_escape_string($_POST['user_input']);
Nothing in your query has to change at that point. This is not necessarily the end of the story, though, as mysql_real_escape_string is not invulnerable and you remain exposed to injection attacks by those using more sophisticated techniques.
The entire mysql_query API has been trashed, it's obsolete and the latest version of PHP no longer supports it. You need to move on to something better, and I'd recommend PDO as a baseline.
The best way to be sure you're doing it right is to use prepared statements with placeholder values. That is your query looks like this:
INSERT INTO table name (column1) VALUES (:column1)
With PDO you can name your placeholders. This makes executing your statement later very easy, you just match up the values:
$stmt->execute(array('column1' => $_POST['user_input'));
So the best way to avoid injection bugs is to avoid injection in the first place. Placeholder values will be substituted correctly, safely, and most important, consistently. All it takes is one mistake where you thought you escaped something but you didn't and people can bust your site wide open.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I've build a website that will be going live soon and just have a couple questions about preventing SQL injection, I understand how to use mysqli_real_escape_string but I'm just wondering if I have to use that on all variables that I'm getting for my SQL statement and do I have to use it when I'm doing select statements also or just on insert update and delete? Also what other security would you recommend me implementing before I put the site live, thanks in advance for any help!
Any query can be injected whether it's read or write, persistent or transient. Injections can be performed by ending one query and running a separate one (possible with mysqli), which renders the intended query irrelevant.
Any input to a query from an external source whether it is from users or even internal should be considered an argument to the query, and a parameter in the context of the query. Any parameter in a query needs to be parameterized. This leads to a properly parameterized query that you can create a prepared statement from and execute with arguments. For example:
SELECT col1 FROM t1 WHERE col2 = ?
? is a placeholder for a parameter. Using mysqli, you can create a prepared statement using prepare, bind a variable (argument) to a parameter using bind_param, and run the query with execute. You don't have to sanitize the argument at all (in fact it's detrimental to do so). mysqli does that for you. The full process would be:
$stmt = $mysqli->prepare("SELECT col1 FROM t1 WHERE col2 = ?");
$stmt->bind_param("s", $col2_arg);
$stmt->execute();
There is also an important distinction between parameterized query and prepared statement. This statement, while prepared, is not parameterized and is thus vulnerable to injection:
$stmt = $mysqli->prepare("INSERT INTO t1 VALUES ($_POST[user_input])");
To summarize:
All Queries should be properly parameterized (unless they have no parameters)
All arguments to a query should be treated as hostile as possible no matter their source
suppose i have a query like this :
$std_id = $_POST['std_id'];
$name = $_POST['name'];
$family = $_POST['family'];
$sql = "insert into student set
std_id = $std_id,
name = '$name',
family = '$family'";
$query = mysql_query($sql,$conn);
i read in a php security book that if user enter a value for family field like :
ahmad';drop database test#
can delete database test;
but we know that the mysql_query() function only allow to execute one query .
i want to know how can this input to be unsafe
There are many delusions in your question.
Let's sort them out.
mysql_query() doesn't support multiple queries execution.
(so, it is useless to delete anything)
dropping tables in the separate query is not the only way of the SQL injection.
(so, it is useless to delete anything again)
To protect your query you have to follow some well-known techniques, not some handmade inventions of doubtful efficiency.
Just worrying about multiple queries is not enough to protect SQL Security ... There are so many questions / answers on SO for you to read about this subject ..
How can I prevent SQL injection in PHP?
GET parameters vulnerable to SQL Injection - PHP
php sql injection
Also good resources on php.net
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/security.database.sql-injection.php
Using multiple queries separated by a semicolon is not the only way to exploit your queries, it is just a very simple example. It will work, when you are using mysqli_multi_query().
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Are dynamic mysql queries with sql escaping just as secure as prepared statements?
Is using only mysqli_real_escape_string enough to secure a query? Or is there more to consider when trying to securely query a database?
If used everywhere correctly real_escape_string is an option. But consider the following code:
$page = $_GET['page'];
$sql = 'SELECT `name` FROM `user` WHERE `id` = ' . mysqli_real_escape_string($page);
Safe or not? real_escape_string can only be used to escape strings inside quotation marks. $page could be 1 OR id IN (2,3,4,5,6,7,8,9) → no quotation marks, no real escaping. Casting to the correct datatype (int) might help in this case. You're better off using prepared statements, they are not as easily to mis-use.