PDO and prepared statements are still kind of confusing to me, no matter how much I read about them so far. So I know they are more "secure" but is it really that important? I mean I can get the same end result using basic mysql with mysql_real_escape_string() and htmlspecialchars() right?
You could, but PDO and prepared statements are the absolute safest. Could you do it by hand and use the mysql_real_escape_string() function? Sure. In fact, your output might look identical. But in the end, the code that PDO would require would be a hell of a lot shorter than the code if you had done it manually.
Also, if you aren't using prepared statements, you run the risk of human error: say you forget to escape a value or sanitize an input. Mixed in with all of your other code, the one line that isn't properly sanitizing could crop up to be a nightmare down the road.
Hope this helps!
I really like the PDO interface. Once you get used to it, it's a lot cleaner than the mysql_* function style. It took me a while to figure it out, too, but it's worth it.
The part that I found confusing was remembering what methods belong to the PDO DB connection object itself, and which are part of the statement objects.
With certain actions, you'll get a performance benefit from repeating prepared statements, too. For instance, if you're doing a bunch of inserts in a loop, you can prepare the statement, and then bind new data in the loop each time before inserting.
The security is much better too, in that you are relying on a well tested library to escape your data on each insert. It's like cryptography - why do it yourself, when it's something this important? There's no reason to give yourself a chance to get it wrong (i.e., accidentally miss escaping something inserted into a query).
I recommend this guide to PDO, from the author who wrote this excellent giant book on Mysql.
I like to use the positional parameter style, and then you just make an array of the data and pass it in. My queries look like
$pdo_db=pdo_connect('cow_db');
$sql='select this,that,count(those) as snout from lovely_table where name=? and horses=?';
$data=array($username,$horse_count);
$query_stmt=$pdo_db->prepare($sql);
$result_handle=$query_stmt->execute($data);
//then I have a function to load data from the result handle
$info=load_array($result_handle);
You could make functions like this to work with the standard php mysql interface, but why not just use PDO?
I agree with others who say using prepared queries is generally better than using escaping functions. It's easier to use correctly, and there's no way that parameter values can introduce SQL injection problems, since the value are sent to the RDBMS server separately from the SQL query.
However, using parameters is useful only when the dynamic parts of your SQL query is a parameter in lieu of a literal value in an expression. You can't use a query parameter in place of a table name, column name, an SQL expression, or a list of values (e.g. arguments of an IN( ) predicate).
Prepared queries also have better performance than non-prepared queries (at least in MySQL). Most people say the opposite, but the well-respected mysqlperformanceblog.com did the testing:
http://www.mysqlperformanceblog.com/2006/08/02/mysql-prepared-statements/
As long as you sanitize data appropriately for your queries then you don't have to use PDO/prepared statements. Though, I would personally recommend using PDO/prepared statements simply because they do both make development/debugging easier and prepared statements prevent incorrect data types from even getting in to a query.
If you want to learn more about how to create a simple prepared statement look in to the function sprintf. You simply replace any variable strings, integers, etc with a type specifier (in this case %s and %d respectively).
So for example in the following query, I know that id is going to be an integer (it will be numerical) and name will be a string (alphanumeric).
$username = 'Simon';
$id = 3;
$query = "SELECT FROM `users` WHERE `id` = {$id} AND `name` = '{$username}'";
If I'm getting either of this variables from an un-trusted source (such as a POST/GET) then I can make sure they are the correct data types by replacing the final line (the $query set) with a sprintf call like this:
$username = 'Simon';
$id = 3;
$query = sprintf( "SELECT FROM `users` WHERE `id` = %d AND `name` = '%s'", $id, $username );
sprintf will simply not let me use a string for the $id or an integer for the $name when it is called which ensures the correct types of data are given (this gives me that little extra bit of security). IF incorrect data types ARE given then I believe it'll cast the variables to the requested type.
To read more about sprintf visit here: http://php.net/sprintf
I hope this explains enough (it's my first answer) :).
you could try zend_db which uses pdo under the hood. (mdb2 is another option you can use.)
PHP lets you do anything you want, and it just so happens PDO does what "you want" with a lot less code. :)
Related
This question already has answers here:
Why is using a mysql prepared statement more secure than using the common escape functions?
(7 answers)
Closed 9 years ago.
Okay, I still don't really get it. I keep reading that in order to properly escape your MySQL queries, you need to use mysqli_prepare() and mysqli_bind_param().
I tried using this setup and, quite frankly, it's a little clunkier. I'm stuck passing variables by reference when I don't need to ever reference them again, and it's just more lines of code to accomplish the same task.
I guess I just don't get what the difference is between:
<?php
$sql = new \MySQLi(...);
$result = $sql->query('
UPDATE `table`
SET
`field` = "'.$sql->real_escape_string($_REQUEST[$field]).'";
');
?>
and
<?php
$sql = new \MySQLi(...);
$stmt = $sql->prepare('
UPDATE `table`
SET
`field` = ?;
');
$value = $_REQUEST[$field];
$stmt->bind_param('s', $value);
$stmt->execute();
$result = $stmt->get_result();
unset($value);
?>
other than more code.
I mean, did they implement this so that people wouldn't forget to escape values before sending them in a query? Or is it somehow faster?
Or should I use this method when I intend to use the same query repeatedly (since a mysqli_stmt can be reused) and use the traditional method in other cases?
What you are reading, that you need to use mysqli_prepare() and mysqli_bind_param() functions to "properly escape your MySQL queries" is wrong.
It is true that if you use mysqli_prepare() and mysqli_bind_param(), you needn't (and shouldn't) "escape" the values supplied as bind parameters. So, in that sense, there's some truth in what you are reading.
It's only when unsafe variables are included in the SQL text (the actual text of the query) that you need to "properly escape" the variables, usually by wrapping the variables in mysqli_real_escape_string() function calls.
(We note that it's possible to make of use of prepared statements and still include un-escaped variables in the SQL text, rather than passing the variable values as bind_parameters. That does sort of defeats the purpose of using prepared statements, but the point is, either way, you can write code that is vulnerable.
MySQL now supports "server side" prepared statements (if the option is enabled in the connection), and that's a performance optimization (in some cases) of repeated executions of identical SQL text. (This has been long supported in other databases, such as Oracle, where making use of prepared statements has been a familiar pattern for, like, since forever.)
Q: Did they implement [prepared statements] so that people wouldn't forget to escape values before sending them in a query?
A: Based on the number of examples of code vulnerable to SQL Injection when not using prepared statements, despite the documentation regarding mysql_real_escape_string() function, you'd think that certainly would be sufficient reason.
I think one big benefit is that when we're reading code, we can see a SQL statement as a single string literal, rather than a concatenation of a bunch of variables, with quotes and dots and calls to mysql_real_escape_string, which isn't too bad with a simple query, but with a more complex query, it is just overly cumbersome. The use of the ? placeholder makes for a more understandable SQL statement,... true, I need to look at other lines of code to figure out what value is getting stuffed there. (I think the Oracle style named parameters :fee, :fi, :fo, :fum is preferable to the positional ?, ?, ?, ? notation.) But having STATIC SQL text is what is really the benefit.
Q: Or is it somehow faster?
As I mentioned before, the use of server side prepared statements can be and advantage in terms of performance. It's not always the case that it's faster, but for repeated execution of the same statement, where the only difference is literal values (as in repeated inserts), it can provide a performance boost.
Q: Or should I use this method when I intend to use the same query repeatedly (since a mysqli_stmt can be reused) and use the traditional method in other cases?
That's up to you. My preference is for using STATIC SQL text. But this really comes from a long history of using Oracle, and using the same pattern with MySQL fits naturally. (Albeit, from Perl using the DBI interface, and Java using JDBC and MyBATIS, or other ORMs (Hibernate, Glassfish JPA, et al.)
Following the same pattern just feels natural in PHP; the introduction of mysqli_ and PDO are a welcome relief from the arcane (and abused) mysql_ interface.
Good code can be written following either pattern. But I challenge you to think ahead, about more complex SQL statements, and whether the choice to use mysqli_real_escape_string() and concatenating together a dynamic string to be executed, rather than using static SQL text and bind parameters, might make reading, and deciphering, the actual SQL being executed more complicated for the soul that finds themselves maintaining code they didn't write.
I think studies have shown that code is read ten times more than it is written, which is why we strive to produce readable, understandable code, even if that means more lines of code. (When each statement is doing a single identifiable thing, that's usually easier for me to understand than reading a jumble of concatenated function calls in one complicated statement.
I think it's less a question of the latter method being more secure per se than encouraging separation of logic. With prepared statements the SQL query is independent of the values we use. This means, for example, when we go back and change our query we don't have to concatenate a bunch of different values to a string, and maybe risk forgetting to escape our input. Makes for more maintainable code!
There are a couple main benefits I found that were well written:
The overhead of compiling and optimizing the statement is incurred
only once, although the statement is executed multiple times. Not
all optimization can be performed at the time the prepared statement
is compiled, for two reasons: the best plan may depend on the
specific values of the parameters, and the best plan may change as
tables and indexes change over time.
Prepared statements are resilient against SQL injection, because
parameter values, which are transmitted later using a different
protocol, need not be correctly escaped. If the original statement
template is not derived from external input, SQL injection cannot
occur.
On the other hand, if a query is executed only once, server-side prepared statements can be slower because of the additional round-trip to the server. Implementation limitations may also lead to performance penalties: some versions of MySQL did not cache results of prepared queries, and some DBMSs such as PostgreSQL do not perform additional query optimization during execution.
Source
I would like to add that mysqli_bind_param() has been removed as of PHP 5.4.0. You should use mysqli_stmt_bind_param()
I do know of parametrized queries, but I've got a couple of old sites where I've used this method for cleaning user input:
<?
mysql_query( sprintf( 'SELECT col1 FROM table1 WHERE id = %d', $tainted ) );
?>
Note that there are no quotes around %d. Is there any value for $tainted that could cause such queries to have unexpected results? It's easy to give syntax errors, but I don't care too much about that.
I've used the same method for similar UPDATE and DELETE queries. Should I bother going back and fixing all old queries, or is there no vulnerability here?
No, it's not a vulnerability.
But it is a potential vulnerability: if some maintenance programmer decides to perform a small change and forgets that the variable may be tainted, or if the variable's data type is changed from integer to string (and the specifier to %s) down the road -- then there will be trouble.
It's better to simply not go there to begin with (but from a practical point of view, it's also not apparent if beefing up the defenses of this legacy code is worth it).
To answer your question, using sprintf in the manner which you presented, should avoid any sql injection, because any non-int values being cast as decimal via %d will simply take on a value of 0:
$ -> php -r "echo sprintf('update table where id = %d', 'drop databases');"
update table where id = 0
However I would be remiss if I did not attempt to persuade you to use the PDO API, and more specifically, prepared statements. I believe the mysqli API also has prepared statements, but I have never used them, only ever used PDO prepare, or an ORM such as Doctrine or Propel.
It appears safe enough as an input, but it's certainly not advisable from a user experience point-of-view, since you won't be able to provide the user with details if the input doesn't match the parameters needed if the id attribute.
In theory, it shouldn't be vulnerable, because sprintf() won't insert the variable if it isn't numeric.
However, that doesn't mean it's right. It may still result in errors that could break your code.
Regardless of whether this is vulnerable or not, I would strongly recommend switching away from the mysql_xx() functions entirely.
The old MySQL library has been deprecated (see the notes on the PHP manual pages), and it is recommended to switch to either PDO or mysqli_xx libraries.
Both the PDO and MySQL come with a feature called Prepared Queries, which does exactly what you're trying to achieve here, and is a far better solution than sprintf() for this kind of thing. Removes the need to escape all your variables for SQL too.
Hope that helps.
I'm developing a simple PHP database application for internal use but would like to code it to best practices. Some of my pages are receiving integer values from GET requests and I'm just wondering how much validation and sanitation is really required.
Currently I'm using $num = filter_input(INPUT_GET, 'num', FILTER_VALIDATE_INT, $num_options); with specified min and max values. From here I'm exiting with an error message if $num == false
Is it necessary to also use $mysqli->real_escape_string($num);
Currently I am not bothering because I think it's quite hard to do SQL injection using an integer...
Thanks,
Kevin
UPDATE: To clarify the query I'm doing looks like this
$sql = "SELECT employeeID, concat(FirstName, ' ', LastName) as Name FROM employee WHERE employeeID='$num'";
I see your using mysqli, your best option for security is to look into Prepared Statements.
PHP mysqli Prepared Statements
It's a bit involved for an example, but the above link has indepth examples.
Once you get the hang of it though, and build your class. It's really only a normal sql query but instead of including your values you use ?
"SELECT * FROM account WHERE username = ? AND password = ?"
and you bind your values to the statement:
array("bradley", "Passw0rd");
The security comes from, as a short answer, is the fact you don't concat the values into the query string yourself. Making it less prone to sql injection.
Like many other PHP users you are taking escaping wrong. You taking it as a some sort of magic wand which makes some "evil characters" "safe".
This is wrong idea.
though prepared statements can be taken as a sort of such a magic wand, escaping is not a synonym for "SQL injection protection". It is a merely string syntax rule - no more, no less.
Is it necessary to also use $mysqli->real_escape_string($num);
It is irrelevant question.
To escape or not to escape decision have to be bound to SQL, not to the data source or any validations:
real_escape_string() have to be used for the sql strings, i.e. parts of the query enclosed in quotes. Have to be used unconditionally, despite of whatever previous manipulations.
For the any other part of the query real_escape_string() being completely useless.
An explanation:
Data validation rules can be changed.
While SQL building rules have to be explicit and unconditional. To make a developer never ask himself a question like this.
In fact, it's completely different matters: data validation and query building. Why keep in mind such details and build the query accordingly? Why not to build the query based on some set of general purpose rules, irrelevant of the data nature at all?
So, to your question again:
if you are adding your data to the query as is, without quotes, real_escape_string() going to be completely useless in this case, but casting/validation become essential.
if you are adding your data to the query using prepared statement, real_escape_string() going to be completely useless and even harmful.
if you are adding your data to the query in quotes - you ought to do real_escape_string() in this case.
it is also worth to mention that if you are adding your data to the query as a part of SQL language - as an identifier or an SQL keyword - real_escape_string() is completely useless too, as well as prepared statement. Whitelisting is your only friend here
I inherited a moderately large sized code base that makes extensive use of mysql_fetch_assoc and mysql_fetch_object, and doesn't have any security precautions preventing SQL injection. I decided that this was a Very Bad ThingTM that needed fixing.
Initially, I intended on moving to mysqli prepare/bind_param/execute statements to handle DB queries. However, the following does not work:
$stmt = $GLOBALS['db']->prepare('SELECT * FROM Users WHERE Username=?');
$stmt->bind_param('s', $username);
$stmt->execute();
// Somehow retrieve the fetched row as an object (Doesn't work!)
return $stmt->fetch_assoc();
Question 1: Is there a way to use fetch_assoc or fetch_object using prepare/bind? I can refactor all the code, but it would be messy and take a very long time.
Question 2: If it is not possible to do this, is it just as effective from a security standpoint to use mysqli_query(), provided all inputs are properly escaped via mysql_real_escape_string()? Do you have any other suggestions?
$row = $stmt->fetch(PDO::FETCH_ASSOC) Ref: http://php.net/manual/en/pdostatement.fetch.php
You can use mysqli if you want. As long as you use the real_escape_string functions on ALL user data (including your own) that's going into SQL statements, then it's no less secure than using prepared statements - it's just much easier to miss a post and leave a hole open.
Replacing raw mysql with raw mysli makes very little sense.
in fact, all those doleful repetitive prepare/bind/execute/fetch being as ugly as mysql_query/fetch.
If you going to refactor your code anyway, you have to develop some library function, which will take a query and it's prameters as arguments and return an array of data, doing all the fetching inside.
as for the escaping all inputs via mysql_real_escape_string(), it is going to be an equivalent of magic quotes, which, at last, been acknowledged as a bad practice.
in fact, mysql_real_escape_string() doesnt make any data safe. it has nothing to do with safety at all. it's merely a formatting routine, and works only for strings. But there are other types to insert into query. For the detailed explanations refer to my prefious answer, How to include a PHP variable inside a MySQL insert statement
MySQL is not letting me use "s and 's with a context form I made for my site. All of the other fields sent to the database just fine, but the longtext one also makes an error if you use anything other than letters and numbers.
I have it at long text, not null.
I am trying to put mysql_real_escape_string() in my code
Use parameterized query then you don't have to worry about escaping special characters and it is safer too (ie against SQL injection attack).
find function in your programming language that escapes slashes and similar and apply it to your output before sending to database
This should work as proposed
$sql2="INSERT INTO $tbl_name(s_id, s_name, s_email, s_content) VALUES(".$id.", '".mysql_real_escape_string($s_name)."', '".mysql_real_escape_string($s_email)."', '".mysql_real_escape_string($s_content)."')";
You should: Take advantage of prepared statements and if you don't do that escape ALWAYS!!! values that come from client input. If not your website can easily been hacked by script-kiddis that just test some sql-injections.
it is better to use prepared statements then the method you have adopted, the plus point of using Prepared Statements like PDO are, it will save you from attacks Such as MYSQL Injections and there are lot more, basically PDO is an inbuilt PHP class which lets you interact with your database at ease, plus it is very flexible, for example,
To establish a connection using PDO you just need to use one line of code, it is like initializing an object.
$dbh = new PDO('mysql:host='.HOST.';dbname='.DATABASE,USERNAME,PASSWORD);
that's it, please note i have used Constant, you can replace it with you own.
now for example if you want to select something using PDO, you just need to write one line of code.
$sth = $dbh->query('SELECT id,name FROM table');
//Query is executed in the above code, and when you want to retrieve the value you just need another line of code.
$result = $sth->fetchAll(PDO::FETCH_ASSOC);
that's it, now you have an array $result which holds all the retrieved value. isn't it very simple and easy to use?
to get you started with using PDO here take a look at this tutorial in net.tutsplus.com
they have explained it very well.