This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
a little new to MySQL but, if I create a Page using HTML, CSS & JS do i need to use prepeard statements to prevent SQL Injections?
Or only if i use text iput?
Maybe me using text-input doesn't matter as user can edit files during use with browser-inspection tools to add one anyway.
If I use PHP instead of HTML for includes is it more easy to inject Code?
Lets say I set up a site using Siteground, where do i find the files I need to edit to prevent this, PHP or MySQL?
Or do I only need to worry about this if I write some custom PHP/MySQL code which handles incoming data to the database?
Or am I asking the wrong question?
Thanks!
-A
SQL injection is an attack type which consists of a user writing malicious code as user input and then posting it to the server. If the db server executes such a code, then bad things will happen.
To prevent executing malicious SQL provided in user input is equivalent of escaping dynamic parameters of queries. This can be done either by PDO or mysqli_real_escape_string.
So, to make sure you have no possibility for SQL injection, just check all the places where direct MySQL commands are executed and make sure the parameters are escaped.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I was wondering if I'm safe from SQL injection if I have this in a script:
< script>
//some stuff
var item = <?php echo json_oncode($PHPVAR) ?>
item.replace(/"/,'"').replace(/'/,''');
//do more script stuff with item
< /script>
currently using Laravel (PHP), with PDO
Are there anything else that I should be aware of/look out for?
(I didn't whitelist/blacklist before submitting to database b/c PDO does that for me from what I understand)
Also I'm asking b/c item is taken from a user input and it dynamically creates HTML using the value of item
The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided.
Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily lies on how the Web Application handles user input.
Your question should be, "How does this piece of user input interact with my application?" -- ofcourse there isn't a set list of things to do in order to keep yourself protected from (B)SQLi (or other variants of Injection [XSS/LDAP]).
The following are some good resources that will help you out further with regards to SQL Injection on a whole (you need to know how the vulnerability works in general if you want to be able to cover something specific).
OWASP SQL Injection
Acunetix SQL Injection
SQL Injection Cheat Sheet
There isn't much more to specifically answer your question except maybe go deeper into how to handle user input with regards to the code you have provided (which we may but I don't think is required).
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm new to PHP and i'm about to finish up a project, however i need to protect my database from SQL injections. Do i need to strip slashes on every sql query i do, or do i only need to do it for sql INSERT/UPDATE statements and not SELECT statements? Or is it best practice to do it for everything?
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
strip_slashes() is not what you want. You should be using prepared/parameterized queries which separate the data from the SQL, making it inherently safe from this problem.
Use PDO or mysqli with prepared statements.
There are so many other ways to inject using SQL. If you want a good example of this, here's one: /* in one field, */ in another. Everything in between will be commented on MySQL4 and MySQL5 without parametrization.
Switch to PDO/MySQLi and request true parametrization from the driver. This will force the driver to send the request without data first, and the data in another packet, thus forcing compliance, along with solving many, many headaches.
If this hasn't convinced you yet, try this link: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ .
Use PDO. Not "PDO or MySQLi", but PDO. It's the only reliable driver available (though offers insufficient protection).
If you want full protection, use SafeMysql
I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.
Good question.
You don't need any protection or prevention.
You have to format your queries properly. ALWAYS.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm starting to think about protecting my inputs from SQL injection. I've read about PDO and mysqli and will be using those techniques. While I was researching protection against SQL injection, I had a thought about a technique. Whenever I have an input from a user, I could scan the input string and search for occurrences of "'" or "DROP" and if the string contains those characters, then I could just not proceed. Would this technique prevent a lot of SQL injection?
Thanks for your help.
It is best to go with methods which have gone through rigorous testing before hand, and not try to implement your own.
A problem with your desired solution is, what happens when SQL add a new notation for dropping tables? Or what if they use 'truncate' instead? This is not foolproof.
Just use PDO or SQLi.
If used correctly and as intended, both will stop it; it'd be silly to use a measure like stopping the word DROP -- Imagine if someone types 'dropbox,' for example?
You should escape your input, and consider using prepared statements. This will remove nearly all SQL injection weaknesses. Scanning for specific words is a terrible practice, as it generally annoys legit users, and doesn't stop determined hackers.
Try to use only prepared statement. It one of the best technique ever.
http://php.net/manual/pt_BR/pdo.prepared-statements.php
The best way is to validate all user input against strict patterns to ensure no user data is abnormal, along with PDO prepared statements - this way you may also prevent XSS however it is usually beneficial to sanitize all user generated output as well just in case you didn't properly validate something and a user is able to execute malicious code.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I would like to know which functions is best to use to prevent MySQL injections
There are plenny of functions I can use to prevent sql injections, such as:
mysql_real_escape_string
mysqli_real_escape_string
addslashes
casting values (intval etc...) for numbers
htmlentities with ENT_QUOTES
or simply remove the ' or "
I want to standardize my code using the best and faster anti-SQL-injections method and I would like to know which one should I use for high traffic sites.
You shouldn't use htmlentities for saving data to a database, addslashes isn't 100% secured (some character sets can still make it vulnerable), using mysql_ or mysqli_ is dependent on the driver you're using and not interchangable. Basically, its not a matter of speed or performance - the only right thing to do is using the escape function that comes with your driver (pdo::escape or mysql[I]_real_escape_string) for strings and casting integers/floats to their correct type.
To give you a simple answer, you can use mysql_real_escape_string
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
http://www.osempire.com/php-injection-attacks-guide
To give you a better answer, try reading Theo's answer in How can I prevent SQL injection in PHP?
I assume you are in the middle of the project already. Once you finish, I suggest learning a new framework like CodeIgniter, Yii and CakePHP to speed up development.