This question already has answers here:
Should I escape an expected integer value using mysql_real_escape_string or can I just use (int)$expectedinteger
(2 answers)
Closed 9 years ago.
I have a PHP script that depending on the value of an id in a GET variable will retrieve different data from a mysql database. The value of the id should be a number at all times. Instead of changing my current mysql query to use PDO, would running isnumeric on the Get variable and exiting the script if it is not a number be sufficient to protect against injection in all or most cases, ie, would it still be possible for some injection sql to slip through isnumeric?
Just a humble comment on the duplicate question issue, I looked at the suggested duplicate question and think that as a beginner it might not be clear on its face that my question is an exact duplicate of that one.
Yes, it would protect in this case. No, it would be a really, really bad idea unless you absolutely know what you're doing and document the choice properly in comments.
There are 2 strategies towards any kind of security:
Denial. Choose the lazy approach that works for the situation at hand instead of fundamentally fixing it. Now wait for the day you forgot this was your 'security', and you change the code and it becomes vulnerable all of a sudden, and kiddie porn is uploaded to your site.
Professionalism. Fix the problem thoroughly, validate the inputs and protect your database layer properly, by either escaping or using prepared statements.
Choose professionalism and thank me a year from now.
Seems like this question has already been answered. And yes, the isNumeric trick essentially would only allow sanitized inputs, thus shielding your application from SQL injection.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I was wondering if I'm safe from SQL injection if I have this in a script:
< script>
//some stuff
var item = <?php echo json_oncode($PHPVAR) ?>
item.replace(/"/,'"').replace(/'/,''');
//do more script stuff with item
< /script>
currently using Laravel (PHP), with PDO
Are there anything else that I should be aware of/look out for?
(I didn't whitelist/blacklist before submitting to database b/c PDO does that for me from what I understand)
Also I'm asking b/c item is taken from a user input and it dynamically creates HTML using the value of item
The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided.
Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily lies on how the Web Application handles user input.
Your question should be, "How does this piece of user input interact with my application?" -- ofcourse there isn't a set list of things to do in order to keep yourself protected from (B)SQLi (or other variants of Injection [XSS/LDAP]).
The following are some good resources that will help you out further with regards to SQL Injection on a whole (you need to know how the vulnerability works in general if you want to be able to cover something specific).
OWASP SQL Injection
Acunetix SQL Injection
SQL Injection Cheat Sheet
There isn't much more to specifically answer your question except maybe go deeper into how to handle user input with regards to the code you have provided (which we may but I don't think is required).
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I am working on an existant web page and I modify the DOM with jQuery.
In my script, a POST Ajax call sends to a php file the parameter registration_id, which is only composed of numbers (for example 310).
This parameter is passed in a SQL request which returns 3 elements (id, context_id, time_spent from trackings table)
So, I have implemented some security in my php code:
I check if the POST Parameter is set
I check if the length is < 5
I check if the parameter is only composed of numbers with ctype_digit()
4th security: the access to the database is strict: I created a user which can only SELECT on trackings table the fields id, context_id, time_spent.
What do you think about that ?
Do you think I have to make prepared requets ?
Thank you in advance for your advices
Thomas
You don't know what you don't know. It looks like you have thought enough about security, but what if someone knows a trick that will still output more than you wanted? Don't try to implement your own security systems.
Prepared statements are proved to be secure. Use that if you want to make sure you are safe. You can keep the checks, they can still be useful for providing user feedback.
On the other hand, I cannot think of any injection you can do with only numbers smaller than 10000.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection?
I am setting up a comment system on my site and I wanted to know if this is save. I use PHP and MySQL.
- Do not use code below, it's horribly insecure -
Creating a new comment:
User writes $comment, submits it
$comment = addslashes($comment);
insert $comment into MySQL database
Reading a comment:
User requests a comment, database delivers $comment
$comment = htmlspecialchars(stripslashes($comment));
echo $comment;
The system should be secure against HTML manipulations and MySQL injections. And all other nasty stuff I am not aware of. Am I doing it right?
Bonus question: What collation should I use for $comment in my MySQL table?
Edit: wow I didn't think my question could cause this huge discussion. Thank you for all your answers :)
Consider switching to prepared statements right from the start :-)
They may seem a bit overheaded now, but you safe so much time worrying about escaping each and every parameter that it pays back.
Here is a good Tutorial: http://www.kitebird.com/articles/php-pdo.html.
When printing out user defined content, you still need to use htmlspecialchars to account for XSS invulnerabilities.
Use mysql_real_escape_string (or whatever escaping function comes with your library) instead of addslashes.
Don't use stripslashes, because they have already been stripped by having been parsed by MySQL, and you run the risk of erasing legitimate backslashes in the input.
For the collation, use whatever you like. I prefer latin_general_ci, but if you want unicode you should use a UTF8-compatible collation.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm starting to think about protecting my inputs from SQL injection. I've read about PDO and mysqli and will be using those techniques. While I was researching protection against SQL injection, I had a thought about a technique. Whenever I have an input from a user, I could scan the input string and search for occurrences of "'" or "DROP" and if the string contains those characters, then I could just not proceed. Would this technique prevent a lot of SQL injection?
Thanks for your help.
It is best to go with methods which have gone through rigorous testing before hand, and not try to implement your own.
A problem with your desired solution is, what happens when SQL add a new notation for dropping tables? Or what if they use 'truncate' instead? This is not foolproof.
Just use PDO or SQLi.
If used correctly and as intended, both will stop it; it'd be silly to use a measure like stopping the word DROP -- Imagine if someone types 'dropbox,' for example?
You should escape your input, and consider using prepared statements. This will remove nearly all SQL injection weaknesses. Scanning for specific words is a terrible practice, as it generally annoys legit users, and doesn't stop determined hackers.
Try to use only prepared statement. It one of the best technique ever.
http://php.net/manual/pt_BR/pdo.prepared-statements.php
The best way is to validate all user input against strict patterns to ensure no user data is abnormal, along with PDO prepared statements - this way you may also prevent XSS however it is usually beneficial to sanitize all user generated output as well just in case you didn't properly validate something and a user is able to execute malicious code.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page