This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?
I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.
Thanks in advance!
If you're using prepared statements, then you shouldn't have any issue with MySQL injection.
If an application exclusively uses prepared statements, the developer
can be sure that no SQL injection will occur (however, if other
portions of the query are being built up with unescaped input, SQL
injection is still possible).
You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm new to PHP and i'm about to finish up a project, however i need to protect my database from SQL injections. Do i need to strip slashes on every sql query i do, or do i only need to do it for sql INSERT/UPDATE statements and not SELECT statements? Or is it best practice to do it for everything?
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
strip_slashes() is not what you want. You should be using prepared/parameterized queries which separate the data from the SQL, making it inherently safe from this problem.
Use PDO or mysqli with prepared statements.
There are so many other ways to inject using SQL. If you want a good example of this, here's one: /* in one field, */ in another. Everything in between will be commented on MySQL4 and MySQL5 without parametrization.
Switch to PDO/MySQLi and request true parametrization from the driver. This will force the driver to send the request without data first, and the data in another packet, thus forcing compliance, along with solving many, many headaches.
If this hasn't convinced you yet, try this link: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ .
Use PDO. Not "PDO or MySQLi", but PDO. It's the only reliable driver available (though offers insufficient protection).
If you want full protection, use SafeMysql
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
Good question.
You don't need any protection or prevention.
You have to format your queries properly. ALWAYS.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection?
This is more of a philosophical point i'm trying to determine, out of curiosity.
I know that theoretically, any password or encryption is crackable.
But is it the same with SQL injection, where one just has to find the appropriate measures to deal with /bypass whatever security measures are implemented in the site? Or is injection something that can be definitively and with certainty defended against using a fixed set of security measures?
Im essentially wondering if it is possible to the input fields in my site unhackable through injection, or whether there will always be some vulnerability?
Being vulnerable to SQL injection is a bug. A well-built application will not contain such a bug, and no amount of effort will make such a bug appear.
SQL injection implies the data entered conforms to valid SQL (though typically injected in a creative way to produce undesired results).
To protect against it, you simply need to ensure that any user supplied data is encoded in a way that it cannot be misused.
As mentioned in a link above ( How can I prevent SQL injection in PHP? ), using prepared statements is a best practice to protect against SQL injection.
Sql injection is a technique used to hijack the security of website.
Sql injection occurs when data specified in input fields are not filtered for escape characters and passed into sql query for execution.
For testing sql injection please refer the following url.
http://sqlzoo.net/hack/
In above url try specifying "'" in field for name and specify "OR 1=1 #" in field for password
So the resultant query will be
SELECT * from user where name='' OR 1=1#' and password='';
In the above example you can notice that query is broken after specifying above data in input fields and any anonymous user can easily login into website.
There are several techniques to prevent sql injection.
(1) Input data must be filtered using mysql_real_escape_string while being passed into sql query for execution.
For more details about mysql_real_escape_string function please refer the documentation mentioned in below url.
http://php.net/manual/en/function.mysql-real-escape-string.php
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection?
I just realized that the php script I use to pull mySQL data and display it on website is extremely vulnerable to SQL injection attacks. What practices are used to protect against these attacks?
Using mysqli_real_escape_string to escape whatever is going in is the least you should be doing.
You might also want to look into using prepared statements.
Read more here: http://php.net/manual/en/security.database.sql-injection.php
All the comments to your post are good suggestions. I personally prefer using prepared statements through PHP's PDO.
Every parameter you get from the user (whether direct or indirect), every value you you insert into your query from a variable you didn't explicitly set, etc, should be inserted into your queries using prepared statements. No exceptions. More experienced developers can get away with a few exceptions, but I would recommend no exceptions, ever.
See PDO::prepare in the PHP documentation for some examples.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm starting to think about protecting my inputs from SQL injection. I've read about PDO and mysqli and will be using those techniques. While I was researching protection against SQL injection, I had a thought about a technique. Whenever I have an input from a user, I could scan the input string and search for occurrences of "'" or "DROP" and if the string contains those characters, then I could just not proceed. Would this technique prevent a lot of SQL injection?
Thanks for your help.
It is best to go with methods which have gone through rigorous testing before hand, and not try to implement your own.
A problem with your desired solution is, what happens when SQL add a new notation for dropping tables? Or what if they use 'truncate' instead? This is not foolproof.
Just use PDO or SQLi.
If used correctly and as intended, both will stop it; it'd be silly to use a measure like stopping the word DROP -- Imagine if someone types 'dropbox,' for example?
You should escape your input, and consider using prepared statements. This will remove nearly all SQL injection weaknesses. Scanning for specific words is a terrible practice, as it generally annoys legit users, and doesn't stop determined hackers.
Try to use only prepared statement. It one of the best technique ever.
http://php.net/manual/pt_BR/pdo.prepared-statements.php
The best way is to validate all user input against strict patterns to ensure no user data is abnormal, along with PDO prepared statements - this way you may also prevent XSS however it is usually beneficial to sanitize all user generated output as well just in case you didn't properly validate something and a user is able to execute malicious code.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page