This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm new to PHP and i'm about to finish up a project, however i need to protect my database from SQL injections. Do i need to strip slashes on every sql query i do, or do i only need to do it for sql INSERT/UPDATE statements and not SELECT statements? Or is it best practice to do it for everything?
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
strip_slashes() is not what you want. You should be using prepared/parameterized queries which separate the data from the SQL, making it inherently safe from this problem.
Use PDO or mysqli with prepared statements.
There are so many other ways to inject using SQL. If you want a good example of this, here's one: /* in one field, */ in another. Everything in between will be commented on MySQL4 and MySQL5 without parametrization.
Switch to PDO/MySQLi and request true parametrization from the driver. This will force the driver to send the request without data first, and the data in another packet, thus forcing compliance, along with solving many, many headaches.
If this hasn't convinced you yet, try this link: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ .
Use PDO. Not "PDO or MySQLi", but PDO. It's the only reliable driver available (though offers insufficient protection).
If you want full protection, use SafeMysql
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
Good question.
You don't need any protection or prevention.
You have to format your queries properly. ALWAYS.
Related
I'm starting fresh here and reading a lot of posts on injection. This one is excellent but it's 8 years old. Is it still valid? php/pdo/mysql is changing all the time. Thanks.
Are PDO prepared statements sufficient to prevent SQL injection?
The highest-rated answers there still very much apply.
In general, however, beware, of anyone who tells you that a certain method of preventing a certain security issue is a 100% cure. In this case, especially be careful with dynamic SQL. I would actually avoid using dynamic queries altogether if you're just getting started.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?
I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.
Thanks in advance!
If you're using prepared statements, then you shouldn't have any issue with MySQL injection.
If an application exclusively uses prepared statements, the developer
can be sure that no SQL injection will occur (however, if other
portions of the query are being built up with unescaped input, SQL
injection is still possible).
You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection?
I just realized that the php script I use to pull mySQL data and display it on website is extremely vulnerable to SQL injection attacks. What practices are used to protect against these attacks?
Using mysqli_real_escape_string to escape whatever is going in is the least you should be doing.
You might also want to look into using prepared statements.
Read more here: http://php.net/manual/en/security.database.sql-injection.php
All the comments to your post are good suggestions. I personally prefer using prepared statements through PHP's PDO.
Every parameter you get from the user (whether direct or indirect), every value you you insert into your query from a variable you didn't explicitly set, etc, should be inserted into your queries using prepared statements. No exceptions. More experienced developers can get away with a few exceptions, but I would recommend no exceptions, ever.
See PDO::prepare in the PHP documentation for some examples.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm starting to think about protecting my inputs from SQL injection. I've read about PDO and mysqli and will be using those techniques. While I was researching protection against SQL injection, I had a thought about a technique. Whenever I have an input from a user, I could scan the input string and search for occurrences of "'" or "DROP" and if the string contains those characters, then I could just not proceed. Would this technique prevent a lot of SQL injection?
Thanks for your help.
It is best to go with methods which have gone through rigorous testing before hand, and not try to implement your own.
A problem with your desired solution is, what happens when SQL add a new notation for dropping tables? Or what if they use 'truncate' instead? This is not foolproof.
Just use PDO or SQLi.
If used correctly and as intended, both will stop it; it'd be silly to use a measure like stopping the word DROP -- Imagine if someone types 'dropbox,' for example?
You should escape your input, and consider using prepared statements. This will remove nearly all SQL injection weaknesses. Scanning for specific words is a terrible practice, as it generally annoys legit users, and doesn't stop determined hackers.
Try to use only prepared statement. It one of the best technique ever.
http://php.net/manual/pt_BR/pdo.prepared-statements.php
The best way is to validate all user input against strict patterns to ensure no user data is abnormal, along with PDO prepared statements - this way you may also prevent XSS however it is usually beneficial to sanitize all user generated output as well just in case you didn't properly validate something and a user is able to execute malicious code.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I am working for a video streaming website for my college library. I am using PHP and MySql. I have not used any parameterized queries in this project.
Recently I came to know about SQL injections. Now that my code is almost done and I have to submit the project in the next two days, how can I now ensure that my code is not SQL injection prone?
Converting the whole thing in to a parameterized interface is what I can't do now. What should I do now to avoid SQL Injections on my website?
The basic idea to prevent SQL injections (if not using Prepared Statements) is to escape your data.
When you inject some expected integer value into an SQL query, make sure it's an integer, using intval().
When you have a decimal/numeric field in your table, use floatval().
And when you have a string (char, varchar, text) field in your table, use the function provided by your API to escape strings :
mysql_real_escape_string()
mysqli_real_escape_string()
PDO::quote()
I really recommend that you go back and do it right with parameterized queries. It is the only solid path towards security. It likely won't take too long to do this once you get started.
You should also know that websites are never "finished". When you launch a site, your work has just begun. Fixing security troubles as you learn about them is part of it, and this is no different.
You'll want to make sure any user provided inputs that get used in SQL queries are escaped using the PHP function mysql_real_escape_string and if you are letting people submit text to run htmlentities on the provided text so XXS isn't possible. If possible, white-list user provided input and discard anything else
This is just touching the surface of what you can do but look into query escaping and preventing cross site scripting.
Use PDO (or alternatively mysqli or some abstraction layer) and prepared statements.
Quick example:
$pdo = new PDO($dsn);
$stmt = $pdo->prepare("SELECT name FROM users WHERE id = ?");
$stmt->execute(array($unsafe_id));
$name = $stmt->fetchColumn();
In this example, $unsafe_id will be safe to use. To quote the manual page:
Calling PDO::prepare() and
PDOStatement::execute() for statements
that will be issued multiple times
with different parameter values
optimizes the performance of your
application by allowing the driver to
negotiate client and/or server side
caching of the query plan and meta
information, and helps to prevent SQL
injection attacks by eliminating the
need to manually quote the parameters.
PDO will emulate prepared
statements/bound parameters for
drivers that do not natively support
them, and can also rewrite named or
question mark style parameter markers
to something more appropriate, if the
driver supports one style but not the
other.