This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
$query = $this->db->prepare("INSERT INTO `images` (`anunt`, `image_location`) VALUES(?, ?)");
$query->bindValue(1, $iddd);
$query->bindValue(2, $image_location);
try{
$query->execute();
or this
$ret = sql_query("INSERT INTO images (anunt, image_location) VALUES ('" .$iddd. "', '" .$image_location. "')");
Or another way maybe?
What advantages are with the bind one? I read something that it's hard to sql inject.
Databse pre-optimzations
When you initialize a prepared statement, the DBMS actually pre-optimizes the database and compiles your query. This would be useful if you plan to make multiple bound queries with the same prepared statement.
SQL Injection prevention
The PHP SQL drivers will escape any literals inside a bound value, to prevent SQL injection.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I have been given a project to complete, in the backend there are SQL statements doing various things, as you'd expect.
In the past I have used PDO to construct SQL queries that use parameterisation to avoid injection attacks.
Whilst reading through the code I noticed many queries in the form of:
$sql = "SELECT * FROM detail WHERE email ='$email'";
$query = mysqli_query($dbcon, $sql);
With no parameterisation or cleaning of input.
Is this type of query vulnerable, should there not be some form of parameterisation and more importantly should I explain the risks involved as it seems the developer was unaware of the risk.
Yes it is,
But you can use this with mysqli : http://php.net/manual/en/mysqli.prepare.php
So with your data it will be like :
$prepare = $dbcon->prepare("SELECT * FROM detail WHERE email = ?");
$prepare->bind_param("s", $email);
$prepare->execute();
This question already has answers here:
How to echo a MySQLi prepared statement?
(6 answers)
Closed 5 years ago.
Is there any function that will return the prepared query string after processing all the parameters. like
$stmt = $conn->prepare("SELECT full_name FROM user_info where user_id = ?");
$stmt->bind_param("s", $user_id);
Can I see the final query string that will execute?
If the driver is capable of using prepared statements, if it doesn't require emulation, then the final query executed is the prepared statement.
If you want to find out what was executed, you need to turn on the general query log on your server. That can be very, very noisy and fill up your disk quickly on a busy server.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I read so much about types to prevent sql injections. I probably don't want to use prepared statements if there is another way to prevent them by 100% of the cases.
Currently I'm sticking to this:
$safe_var = mysql_real_escape_string ( $unsafe_var);
mysql_set_charset("utf8");
$sql = "REPLACE `news` (`id`, `author`, `title`, `text`, `time`)" . "VALUES ('".$id."', '$author', '$title', '$text', UNIX_TIMESTAMP());";
mysql_query ( $sql );
For this example all the variables in the sql statement are constructed as the safe_var at the start. I see many opinions on what is save in sql and what not so I don't know what is right.
My question is, is this 100% save and is it save to use this way in every possible sql statement, by using mysql_real_escape_string and putting the variables in single quotes as I did in the statement?
Thanks in advance for help!
PS: I know there are many question likes this but everyone keeps saying diffrent stuff and I still not found anyone that says that my way is safe from sql injections in every possible statement.
At the least you would want to convert to mysqli rather than mysql. You would want to also further test the user input as much as possible to ensure it is legitimate.
Highly recommend pdo and prepared statements
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Is there a way to restrict php pdo execute() to run just the first sql statement?
For instance running
SELECT * FROM customer;DROP TABLE invoice
will return all customers but it will also delete the invoice table.
I have a situation where I need a whole SQL statement from a user but it must be a SELECT and nothing additional.
My example is just one of many that could be maliciously entered. It might include additional DROP, UPDATE, DELETE statements etc.
A prepared statement will simply replace ?s with values. It will not stop dangerous SQL statemets being passed to it.
This would not be a problem if there was a way to restrict php pdo execute() to run just the first sql statement?
IF your trying to prevent SQL injection, prepare statements can handle it.
you can use something like this to prevent SQL injection
$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->bindValue(1, $id, PDO::PARAM_INT);
$stmt->bindValue(2, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Php PDO::bindParam data types.. how does it work?
Could someone explain - why is prepared statement more secure:
$stmt = $conn->prepare("INSERT INTO users (user, pass, salt)
VALUES (:user, :pass, :salt");
$stmt->bindParam(":user", $user);
$stmt->bindParam(":pass", $pass);
$stmt->bindParam(":salt", $salt);
$stmt->execute();
Insert query is firstly prepared with placeholders, then values is placed instead placeholders, but - where is that famous secure point ?
The values are not placed into the placeholders (depending on the backend, some do emulation but lets not talk about them, as that's not prepared statements). The issue with traditional SQL is that the commands and data are mixed. Prepared statements get around that issue by intentionally keeping them separate at all times. Prepared statements aren't just a fancy way to automatically do mysqli_real_escape_string.