How to protect from sql injection?

Hamed · #1 (**permalink**) 08-30-08, 10:31 PM

Hello,
I want to know how can I protect from sql injection?
What is the best way?
Is there anyway to add one function for all queries and where get sql injection?

End User · #2 (**permalink**) 08-31-08, 08:24 AM

Quote:

Originally Posted by Hamed

Hello,
I want to know how can I protect from sql injection?
What is the best way?
Is there anyway to add one function for all queries and where get sql injection?

If you search this forum you'll find this subject has been discussed many times. Sanitizing input is a multi-step process and no one single step is "it". Validate all incoming data for type, remove potentially malicious characters, and strip common exploit code. After doing that, use mysql_real_escape_string() for all queries to the database or use a custom function that performs the same actions.

loveloop · #3 (**permalink**) 09-01-08, 11:40 PM

you can use htmlspecialchars to protect from sql injection

$input = htmlspecialchars($input,ENT_QUOTES);

Keith · #4 (**permalink**) 09-02-08, 12:26 AM

Quote:

Originally Posted by End User

Sanitizing input is a multi-step process and no one single step is "it".

...just to be sure loveloop read the previous message.

loveloop · #5 (**permalink**) 09-02-08, 01:19 AM

Quote:

Originally Posted by Keith

...just to be sure loveloop read the previous message.

End User · #6 (**permalink**) 09-02-08, 10:04 AM

Quote:

Originally Posted by loveloop

you can use htmlspecialchars to protect from sql injection

WRONG. You write a script with that as your only protection and in 10 minutes I'll be having my way with your server like a drunken prom date.

Seriously, don't think for one second that htmlspecialchars() is going to protect you. It won't.

woyrz · #7 (**permalink**) 09-02-08, 02:45 PM

firsth of all you need to know exaclty what you are trying to do.

STRING VALIDATION
I you expected to received number cast your sting as int so that way php will reject any alpha chars.

length and restriction can offent be applied to your string limiting what you will store.

if the string doesn't match what I'm expecting I drop everything and display an error message.

STRING CLEANING
htmlspecials... and addslashes are powerful but not alone.

I often user htmlspecialchars with the ENT_QUOTES options

THE SQL
As for the SQL i used prepare statement and PDO.
If you used a FrameWork they give you an other layer of security if you dont by pass them.

Mike · #8 (**permalink**) 09-03-08, 03:51 PM

Quote:

Originally Posted by End User

WRONG. You write a script with that as your only protection and in 10 minutes I'll be having my way with your server like a drunken prom date.

Seriously, don't think for one second that htmlspecialchars() is going to protect you. It won't.

I had a good laugh at this... I must say End User... VERY good choice of words. Back on the topic though... he is absolutely correct... 10 minutes or less you will be screwed.