This question already has answers here:
SQL injection that gets around mysql_real_escape_string()
(4 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm not familiar with sql injection and I wanna know if there is any invulnerability in my script, if there is please point it out and give me some tip to fix it.
<?php
include("config.php");
?>
<?php
$desc = $_POST['desc'];
$desc = mysql_real_escape_string($desc);
$author = $_POST['author'];
$date = date("d/M/Y");
mysql_query("INSERT INTO `changelog`(`author`, `date`, `description`) VALUES ('{$author}','{$date}','$desc')") or die(mysql_error());
include("success.php");
?>
Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp or some other trimming functions but don't rely just on mysql_real_escape_string.
You should write some logic to test the data you are expecting.
You can check out http://php.net/manual/en/security.database.sql-injection.php for more information on preventing SQL Injections.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I generate a mysql query via $_GET in PHP via concatenation assignment (.=).
take a look:
$sql='SELECT * FROM table WHERE ';
$sql.='ID='.$_GET['id'].'';
$query=$PDO->prepare($sql);
how can i prevent mysql injection?
i use bind values for direct queries but in this case,i don't have any idea how i should write my code to be safe enough.
note that i use PHP 7 and i can't use mysql_real_escape_string(); as it's not available in PHP7.
You could use something like the following:
<?php
$sql = $PDO->prepare("SELECT * FROM table WHERE ID=?");
if ($sql->execute(array($_GET['id']))) {
while ($row = $sql->fetch()) {
print_r($row);
}
}
?>
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
A team I work with has a habit of escaping IDs and integers in SQL like this:
$var = $var + 0;
$sql = "SELECT * FROM whatever WHERE id = $var";
Is this an acceptable way to prevent SQL injection in PHP, or is it vulnerable?
No its not a preventive way. Use PHP PDO. Read this:
https://www.w3schools.com/php/php_mysql_connect.asp
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$type_of_poker = "hold'em no limit";
$sql = "INSERT INTO hands (type_of_poker) VALUES ('$type_of_poker')";
Im trying to put hold'em no limit into a SQL database but it won't let me
use ' i cant upload holdem no limit for a long list resones that have to do
with the rest of my code.
Instead of trying to escape the apostrophe, it is much better practice to use prepared statements and binded parameters which will also solve your problem. It solves your problem because you then don't need to escape the apostrophe ('):
$type_of_poker = "hold'em no limit";
//binding the parameters to your sql statement
$sql = "INSERT INTO hands (type_of_poker) VALUES (:type_of_poker)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':type_of_poker',$type_of_poker);
$stmt->execute();
Let me know if that worked for you! :)
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Our Sitelock website security has picked up some pages on our website that are vulnerable to attacks.
It shows the description "Injection point: GET; Injection parameter: id; Injection type: numeric"
I think the mentioned code is
$sa1=DBSelect("select * from tbl where id='".$_REQUEST['sid']."'");
How can we fix it? Any idea?
First off, you shouldn't use $_REQUEST as it reads $_GET , $_POST and $_COOKIE variables and looks for the value in all of these.
Secondly, you aren't validating the user input to check whether it's safe. If an ID is an integer you should at least do something like this.
$sid = (int) $_GET['sid'];
$sa1=DBSelect("select * from tbl where id='" . $sid . "'");
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
For example I use
$building_name = $_POST['BuildingName'];
$metering_type = $_POST['MeteringType'];
$query = "INSERT INTO buildings (BuildingName, MeteringType)
VALUES ('$building_name', '$metering_type')";
if(mysqli_query($link, $query))
{
echo json_encode(Array("success"=>true));
}
And I believe that this prevents me from SQL injections. Am I safe?
No, that doesn't protect you in the slightest.
You need to use MySQLi's parameterized queries via prepare.