Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am learning php on my own and was wondering if I would susceptible to sql injections if I make the database name a $_GET even if the normal command goes through a PDO function?
ex.
$hostname_Database = "blocked";
$database_Database = $_GET['henryfor'];
$username_Database = "blocked";
$password_Database = "blocked";
$dbh = new PDO("mysql:host=$hotname_Database;dbname=$database_Database", $username_Database, $password_Database);
...
If you allow the database name to come from $_GET you are allowing the end user to choose the database name. Normally this is a very bad idea, but for specialized applications (e.g. phpMyAdmin) that might be acceptable.
Additionally, because you're adding the name into a string with other connection information, there is nothing stopping the user from putting a ";" in the name, and then providing values for other parameters in the connection string.
So this isn't exactly the same as a SQL injection attack, but is in the same general category.
Like Waleen Khan said, you probably want to filter the database name so that only a white list of acceptable values is allowed. If that's not an option, you want to read up on if the connection string supports some kind of escaping, and either escape special characters, to filter them out.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
The most common suggestion for protection against MySQL injection is prepared statements (either from PDO of mysqli). Say for whatever reason, I can't use prepared statemnets...how do I protect my data?
I would love to create a function like the following...
function cleanse($val) {
global $db;
$val = $db->real_escape_string($val);
return $val;
}
//Then I use it like
$sql = "select abc from dyf where z='".cleanse($_GET['id'])."'";
$db->query($sql); //etc...
But I'm not sure if that stops 1=1 attacks and attacks from strange foreign characters.
Is there a bullet proof way to make my cleanse function secure (no prepared functions!)?
Do I need to convert any string to utf-8?
If I wrap all column values in quotes and use mysqli's real_escape_string, am I ok?
Are there any other tricks that would make my cleanse function safe against injection?
I won't recommend it, but using mysql_real_escape_string can do the trick.
$sql = "select abc from dyf where z='".mysql_real_escape_string($_GET['id'])."'";
But if you can use PDO use it anyday, if you are limited this would be an oportunity. Only works in some versions of PHP.
http://php.net/manual/en/function.mysql-real-escape-string.php
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
need guidance on how this mysql real escape string works on this statement, i don't want mysqli and the pdo types. i have tried it, but it is not working, need some help about this
$UserName =mysql_real_escape_string($_POST['UserName']);
$password =mysql_real_escape_string($_POST['Password']);
// Insert data into mysql
$sql1="INSERT INTO UserDetail (UserName,Password,Email_Address,Verifycode,AcoountStatus)VALUES('$UserName','$encry_pass','$email','$verify_code','Inactive')";
it is not working … the strings like />., still can be enter in the sql database
It is working.
mysql_real_escape_string is a function that escapes characters which have special meaning in SQL.
/ and > do not have special meaning in SQL, so it shouldn't touch them.
If they did have special meaning, then the point of the function is to allow them to be inserted into the database. It makes changes such as converting ' (meaning "Start or end an SQL string") to \' (meaning "An apostrophe").
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
What is the format in which PHP sends queries to SQL Server? Is that some human readable code?
How to check if the SQL query in PHP and SQL Server is same?
How can I tell the SQL Server to not to accept any injection?
Please share any link or knowledge you know in this regard.
SQL injection is a simple as widely misunderstood.
SQL (as most other computer languages) is text where you have:
Language specific keywords: SELECT, INSERT, UPDATE, FROM...
Custom identifiers: customers, providers, shipping_history...
Data: Hamlet, Patrick O'Brian, 3.1416, 21st August 1974...
The language provides a syntax to tell them apart (in SQL, it basically depends on context, quotes and what character it starts with).
SQL is safe because a random user is not allowed to access the database server and run arbitrary queries. For example, the database is password protected. Thus a hacker can't just connect and do:
SELECT credit_card FROM customers;
DELETE FROM criminal_records;
SQL injection happens when you allow a random user to generate SQL code and you gladly run the resulting code for him:
SELECT * FROM users WHERE password='' or '1'='1'
Now you have some perfectly valid SQL code. That code is only text so there's no way to say where each individual character came from. Text does not have memory.
As I said, it's trivial to avoid:
Query: SELECT * FROM users WHERE password=?
Data: ' or '1'='1
Now we don't even need to care about injection: that's the exact SQL code written by us, not some other guy.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
On my and my friend site is form with login textbox. If login doesn't exist error appears
"Error occurred. 151SQLSTATE[3D000]: Invalid catalog name: 1046 No database selected".
If I enter invalid login + some sql (e.g "iu7' or '1=1'--") it doesn't show any data, nor any error.
Is that form safe? Is it possible to enter valid login + sql to switch login to it's password in result? What do you think of it?
You should always escape the input values by using mysql_real_escape_string($_POST['...']) before submitting a query. This way, you should be safe with any string they put in.
I don't think people on SO are going to help you inject other sites, so that's all I'm gonna say for now.
That depends on how you're building your SQL commands with the posted data. If you are simply building a string out of the values, then you are at risk of SQL injection attacks.
Take a look at this article:
http://php.net/manual/en/pdo.prepared-statements.php
It explains how to build prepared statements in PHP, which will protect against SQL injection.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
what is the worst that could happen to my database if my PHP code has a SQL injection vulnerability in the where statement, ie SELECT * FROM table WHERE id='$unescapedstring'?
sorry forgot to mention mysql
What if $unescapedstring is set to cake';DROP TABLE 'table';--? That'll execute the select, followed by the DROP TABLE statement. Replace the drop table with whatever sql you want, and you've got yourself the ability to execute any SQL. They can download your database, or wipe it, or modify records...just don't do it. Sanitize your inputs! Otherwise, your users have free reign on your database.
While the other answers are completely correct, if you have your mysql user accounts set up correctly, the account executing those queries probably shouldn't have permissions to alter/create/drop tables/databases. Therefore, worst that could happend in that scenario: DELETE FROM table
The worst that can happen? I'd say that anything can happen with that query.
For example, I submit this:
unescapedstring: '; (any other query)
Now, your query becomes:
SELECT * FROM table WHERE id=''; (any other query)
From there, I have the ability to execute any MySQL command. I can drop your whole database, I can edit it, I can download your database, and if your server permits, I can even go as far as rooting your actual server.
Basically, the attacker has full access to your MySQL installation. Expect anything.