I have heard, (thanks to SO) that mysql_* family of functions is vulnerable to SQL injections, so it is always recommended to use mysqli_* OR PDO approach.
So, I tried to trace out which of these approaches is used in Codeigniter as I have been using CI since 4 months. But I could not get it out.
Can anybody tell me which of these or any other approach is used in CI?
Thanks in advance.
CodeIgniter uses whichever method you choose, based on your config/database.php file. For example, if you choose mysqli as your driver, it will use the mysqli family of functions. If you choose mysql, it will use the mysql family, and so on.
There is a PDO driver, but it's not the most stable thing in the world in the current releases.
If you're using the "active record" functions in CodeIgniter (which should really be called "query builder" functions, since they don't follow the Active Record pattern), then all of your data is automatically sanitized with the appropriate functions. If you say, for example, $this->db->where('field', $value), and you're using the mysqli driver, CodeIgniter will automatically call mysqli_real_escape_string on the $value input you pass to it, rendering the query safe.
I should also note that this automatic sanitization only applies to the active record helper functions, like $this->db->get and the like. If you try to run your own query using $this->db->query("SELECT * FROM table WHERE field = '" . $field . "'") then you need to take care to protect yourself, since you're bypassing CodeIgniter's security mechanisms. Running a query directly with the query() method is like saying "don't worry, I know what I'm doing." You need to specifically ask CodeIgniter to sanitize certain values for you by calling $this->db->escape() or its related functions. If you just concatenate variables into your query, then you're going to open yourself up to SQL injections.
Related
I'm pretty new to FuelPHP.
My first question is what is the best place to put custom functions? Right now, I just made a new file, func.php, inside the app/classes folder and access it like $func = new Func; $func->function_name(); - I don't think this is the best way to do it.
Secondly, for something I'm making, I'll be needing a lot of custom queries. Normally, I'd just use PDO's prepared statements and execute them, but I'm unsure how I'd go about sanitizing user input with DB::query(), without having to sanitize each individual variable.
Autoloading function is not possible with PHP, so many people use classes, like you did... More information is available in this SO anwser: Autoloader for functions
For prepared statements, you got that: http://docs.fuelphp.com/classes/database/usage.html#binding
You still can use plain old PDO if you want, it's totally possible.
The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:
$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */
...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.
Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).
Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.
So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.
Propel is safe as Adnan said, but when you decide to use the fromArray() method, never pass the $_POST global variable directly. Otherwise, you open the door to the mass assignment attack.
You always have to check input data, in other words, you should never trust your users.
Is there specific documentation available on Joomla regarding making database queries via MySQL in PHP?
What I'm really looking for:
Whether or not Joomla has it's own database wrapper implemented, and if not, is it recommended to create one using the specified config parameters.
Whether or not Joomla has the capability to parameterize their queries to prevent SQL injection.
Yes, Joomla has it's own OOP defined to deal with databases.
Usually, you will deal with code like this:
$db =& JFactory::getDBO();
$query = "SELECT * FROM #__example_table WHERE id = 999999;";
$db->setQuery($query);
Can read more here: How to use the database classes in your script
Yes, it has its own class, it's the class JDatabase if I recall correctly. There's an API page
where you get all the documented code on the framework.
A this Joomla WIKI, then, you have example on how to use the database class. Don't know if updated to the latest (1.7) version, but I'm pretty sure it works the same (at least did for the 1.6)
I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?
Thanks!
In order to use prepared statements, you can simply use query bindings with CodeIgniter.
$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);
More info found here.
CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e
$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);
Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.
Can anyone recommend a good wrapper class or extension to PHP's mysqli extension that allows the equivalent of
mysql->fetch_assoc()
for a prepared statement. That is ideally it condenses down into a single statement the tedious complexity of the init/prepare/bind/fetch-loop.
try dalmp.com code.dalmp.com currently on beta but maybe you can help to test it
Write a class that extends mysqli and adds that functionality!!!!
Here's a start
http://us.php.net/manual/en/mysqli-stmt.fetch.php#72720
This is PHP 5 class that does just that: http://www.aplweb.co.uk/blog/php/mysqli-wrapper-class/
Just put in your settings and call one of the static functions.
It's actually really easy to write wrappers for or extend PDO.
$this->setAttribute(self::ATTR_STATEMENT_CLASS, array('yourClassName', array($this)));
Something like that will let you specify a class to replace PDOStatement.
Zend_DB is a great wrapper for database functions including mysqli.
It has options to retrieve table data as associative arrays, or as objects if you desire. It also includes support for prepared statements.
You don't have to use the entire zend framework to use Zend_DB, you can use it on its own.