This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm starting to think about protecting my inputs from SQL injection. I've read about PDO and mysqli and will be using those techniques. While I was researching protection against SQL injection, I had a thought about a technique. Whenever I have an input from a user, I could scan the input string and search for occurrences of "'" or "DROP" and if the string contains those characters, then I could just not proceed. Would this technique prevent a lot of SQL injection?
Thanks for your help.
It is best to go with methods which have gone through rigorous testing before hand, and not try to implement your own.
A problem with your desired solution is, what happens when SQL add a new notation for dropping tables? Or what if they use 'truncate' instead? This is not foolproof.
Just use PDO or SQLi.
If used correctly and as intended, both will stop it; it'd be silly to use a measure like stopping the word DROP -- Imagine if someone types 'dropbox,' for example?
You should escape your input, and consider using prepared statements. This will remove nearly all SQL injection weaknesses. Scanning for specific words is a terrible practice, as it generally annoys legit users, and doesn't stop determined hackers.
Try to use only prepared statement. It one of the best technique ever.
http://php.net/manual/pt_BR/pdo.prepared-statements.php
The best way is to validate all user input against strict patterns to ensure no user data is abnormal, along with PDO prepared statements - this way you may also prevent XSS however it is usually beneficial to sanitize all user generated output as well just in case you didn't properly validate something and a user is able to execute malicious code.
Related
Suppose you have a query looking like this:
SELECT * FROM messages WHERE sender='clean_username'
where the clean_username is received over get/post and sanitized like this:
$clean_username = preg_replace( '/[^A-Za-z0-9_]+/m' , '', $dirty_username );
The above code removes any whitespace (among other things), which means that the valid_username parameter will always only be one word.
What is the simplest way this can be exploited with an injection?
I'm asking this question to better understand how SQL injection works. In my work I stick to the established good practices of using prepared statements and parameterized queries to prevent injections, but I think it's good for people to also have an understanding of how malicious code can be injected in a simple scenario like this.
You can still exploit this using hex coding: stripping spaces is not enough.
I guess this is a somewhat interesting place to start. But consider that preg_match()es are pretty bad for performance on high traffic sites.
Prepared statements and parameterized queries are always the best way to prevent SQL injections.
Example of GET injection using hex coding and no spaces
?id=(1)and(1)=(0)union(select(null),group_concat(column_name),(null)from(information_schema.columns)where(table_name)=(0x7573657273))#
I think you can see the problem above.
I think you already answered the question on your own.
The best way is a standard approach where you use parameterized queries to distinguish between user data and sql command.
In your particular case you assume that a sender username can only consist out of a limited set of ASCII characters. That might work for the moment, and as long as there is no string conversion before, no one can easily close the string apostrophes within the sql statement.
But always consider anticipation of changes. Somebody can rely on your given code in the nearby future and use or modify it and make new assumptions. Your test is actually weak and it can suddenly become dangerous when no one remembers and expects it.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm new to PHP and i'm about to finish up a project, however i need to protect my database from SQL injections. Do i need to strip slashes on every sql query i do, or do i only need to do it for sql INSERT/UPDATE statements and not SELECT statements? Or is it best practice to do it for everything?
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
strip_slashes() is not what you want. You should be using prepared/parameterized queries which separate the data from the SQL, making it inherently safe from this problem.
Use PDO or mysqli with prepared statements.
There are so many other ways to inject using SQL. If you want a good example of this, here's one: /* in one field, */ in another. Everything in between will be commented on MySQL4 and MySQL5 without parametrization.
Switch to PDO/MySQLi and request true parametrization from the driver. This will force the driver to send the request without data first, and the data in another packet, thus forcing compliance, along with solving many, many headaches.
If this hasn't convinced you yet, try this link: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ .
Use PDO. Not "PDO or MySQLi", but PDO. It's the only reliable driver available (though offers insufficient protection).
If you want full protection, use SafeMysql
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
Good question.
You don't need any protection or prevention.
You have to format your queries properly. ALWAYS.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How to prevent SQL injection in PHP?
I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?
I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.
Thanks in advance!
If you're using prepared statements, then you shouldn't have any issue with MySQL injection.
If an application exclusively uses prepared statements, the developer
can be sure that no SQL injection will occur (however, if other
portions of the query are being built up with unescaped input, SQL
injection is still possible).
You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection?
I just realized that the php script I use to pull mySQL data and display it on website is extremely vulnerable to SQL injection attacks. What practices are used to protect against these attacks?
Using mysqli_real_escape_string to escape whatever is going in is the least you should be doing.
You might also want to look into using prepared statements.
Read more here: http://php.net/manual/en/security.database.sql-injection.php
All the comments to your post are good suggestions. I personally prefer using prepared statements through PHP's PDO.
Every parameter you get from the user (whether direct or indirect), every value you you insert into your query from a variable you didn't explicitly set, etc, should be inserted into your queries using prepared statements. No exceptions. More experienced developers can get away with a few exceptions, but I would recommend no exceptions, ever.
See PDO::prepare in the PHP documentation for some examples.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page