This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I am working on an existant web page and I modify the DOM with jQuery.
In my script, a POST Ajax call sends to a php file the parameter registration_id, which is only composed of numbers (for example 310).
This parameter is passed in a SQL request which returns 3 elements (id, context_id, time_spent from trackings table)
So, I have implemented some security in my php code:
I check if the POST Parameter is set
I check if the length is < 5
I check if the parameter is only composed of numbers with ctype_digit()
4th security: the access to the database is strict: I created a user which can only SELECT on trackings table the fields id, context_id, time_spent.
What do you think about that ?
Do you think I have to make prepared requets ?
Thank you in advance for your advices
Thomas
You don't know what you don't know. It looks like you have thought enough about security, but what if someone knows a trick that will still output more than you wanted? Don't try to implement your own security systems.
Prepared statements are proved to be secure. Use that if you want to make sure you are safe. You can keep the checks, they can still be useful for providing user feedback.
On the other hand, I cannot think of any injection you can do with only numbers smaller than 10000.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I was wondering if I'm safe from SQL injection if I have this in a script:
< script>
//some stuff
var item = <?php echo json_oncode($PHPVAR) ?>
item.replace(/"/,'"').replace(/'/,''');
//do more script stuff with item
< /script>
currently using Laravel (PHP), with PDO
Are there anything else that I should be aware of/look out for?
(I didn't whitelist/blacklist before submitting to database b/c PDO does that for me from what I understand)
Also I'm asking b/c item is taken from a user input and it dynamically creates HTML using the value of item
The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided.
Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily lies on how the Web Application handles user input.
Your question should be, "How does this piece of user input interact with my application?" -- ofcourse there isn't a set list of things to do in order to keep yourself protected from (B)SQLi (or other variants of Injection [XSS/LDAP]).
The following are some good resources that will help you out further with regards to SQL Injection on a whole (you need to know how the vulnerability works in general if you want to be able to cover something specific).
OWASP SQL Injection
Acunetix SQL Injection
SQL Injection Cheat Sheet
There isn't much more to specifically answer your question except maybe go deeper into how to handle user input with regards to the code you have provided (which we may but I don't think is required).
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Little background.
I'm making a forum with an account system.
So naturally they have to insert data to the database whilist speaking in the forums.
What is the safest way to let the user input data in an textarea?
Is there away so they can't just type in DROP TABLE 'USERS', or something else that might effect my forum?
Now I know there is some solutions to this, but how can I do this so that they're able to make their text look nice (<h1>,<img>) etc, but not do a proper SQL query?
Kinda like this page is made, I can type here with all sorts of looks but I cannot do anything to harm the page.
Thanks.
-Kevin
Either mysqli_real_escape_string or Prepared statements for SQL injection
To keep the HTML injection, just dont do anything. Queries are already vulnerable to HTML injection.
In your case you might just want to use an editor for your forum posts, like: TinyMCE
You need to do (at least) two things:
Your database user should have only required grants on given table - so GRANT INSERT on yourtable TO youruser instead of GRANT ALL on yourtable TO youruser
Make yourself sql injection safe - by using prepared statements in your php code
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I have input values like user can upload a photo, enter a username, password...etc
I want to test the SQL injection by myself and I want some way to prevent it.
I am using MySQL I know some of you will say use PDO or MySqli BUT at this time I am still having Mysql as database.
Thank You!
When testing an application of this sort, put values like this in every field:
<div style="background:red">It's Buggy</div>
If that isn't inserted correctly, you'll have errors. If it is inserted correctly and rendered as unescaped HTML you'll know immediately.
This applies to every single parameter that can come in via $_GET or $_POST.
Writing with mysql_query is hazardous at the best of times, and downright reckless if you're not extremely careful. PDO works well with MySQL and doesn't take that long to learn if you follow a good tutorial.
You should be writing queries like this:
INSERT INTO users (name) VALUES (?)
The ? is a data placeholder that you can safely bind against.
A better approach is to use something like Propel or Doctrine to provide a proper database layer. This makes your code much more readable and portable between MySQL and other databases.
Many documentation on google. See : https://stackoverflow.com/a/60496/2226755
Try putting ' or " in your input, if you've an error it's a sql injection.
Understanding SQL Injection
you can inject in SQl with code like
anything' OR 'x'='x
you can easily prevent this, just google "sql injection example(s)" and see for yourself
Injection techniques vary based on the use case. As an example for username/password checks, given this SQL:
SELECT user_id
FROM users
WHERE name = "$_POST['name']"
AND password = "$_POST['pass']";
...in this case, passing a simple " OR "" = " for the POSTed password field would yield this:
SELECT user_id
FROM users
WHERE name = ""
AND password = ""
OR "" = "";
...and BAM! There are user_id results where in reality there aren't supposed to be.
This is just one isolated case. I'd suggest looking into using PDO as your database driver to do injection checking for you!
This question already has answers here:
Should I escape an expected integer value using mysql_real_escape_string or can I just use (int)$expectedinteger
(2 answers)
Closed 9 years ago.
I have a PHP script that depending on the value of an id in a GET variable will retrieve different data from a mysql database. The value of the id should be a number at all times. Instead of changing my current mysql query to use PDO, would running isnumeric on the Get variable and exiting the script if it is not a number be sufficient to protect against injection in all or most cases, ie, would it still be possible for some injection sql to slip through isnumeric?
Just a humble comment on the duplicate question issue, I looked at the suggested duplicate question and think that as a beginner it might not be clear on its face that my question is an exact duplicate of that one.
Yes, it would protect in this case. No, it would be a really, really bad idea unless you absolutely know what you're doing and document the choice properly in comments.
There are 2 strategies towards any kind of security:
Denial. Choose the lazy approach that works for the situation at hand instead of fundamentally fixing it. Now wait for the day you forgot this was your 'security', and you change the code and it becomes vulnerable all of a sudden, and kiddie porn is uploaded to your site.
Professionalism. Fix the problem thoroughly, validate the inputs and protect your database layer properly, by either escaping or using prepared statements.
Choose professionalism and thank me a year from now.
Seems like this question has already been answered. And yes, the isNumeric trick essentially would only allow sanitized inputs, thus shielding your application from SQL injection.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
Validating user input?
I know that for mysql I can use > mysql_real_escape_string but what can I use for php server side to maximally secure it from hacking ? Is there any ultimate way to do it ? If not please write all possible ways to minimize threat of hacking the site.
Best way? Sanitize it when you need it
Often times I see things like
Bad code
foreach ($_GET as $k => $v){
$_GET[$k] = MyUberSanitizeFunction($v);
}
But that works very few times, and is very much type specific (i.e. in one instance an ID may only want to be numbers, but not every value should be stripped of non-numerics).
Worry about cleansing the information when you need it. If you're going to use it multiple times, cleanse it in to a stored variable, then work with it. But don't worry about "mass sanitizing" on every query request.