Protecting Against MySQL Injections
I just had the not so fun task of auditing some PHP code that had a lot of vulnerabilities. These were all MySQL injection type attacks. I had found them mostly because of the MySQL errors they generated in our logs. If you are writing PHP scripts and you are using MySQL you must sanitize your data! Never assume nobody will know. It is easy to find.
Here is an example, this script will look up widgets of certain category ID: http://www.somesite.com/somePHPscript.php?viewCategory=19 Well, a BAD way to do this: Code:
"SELECT * FROM widgets WHERE category_id = " . $_REQUEST['viewCategory']; Code:
http://www.somesite.com/somePHPscript.php?viewCategory=19%20union%20truncate%20widgets Code:
SELECT * FROM widgets WHERE category_id = 19 union truncate widgets; How would you combat that? Here you go: Code:
"SELECT * FROM widgets WHERE category_id = " . intval($_REQUEST['viewCategory']); What if you are using text? Example: Code:
"UPDATE users set name='$username'" Code:
"UPDATE users set name='" . mysql_real_escape_string($username) . "'" |
I'm using mysql_real_escape_string() to sanitize my user input. Jeff what is the difference if you using mysql_real_escape_string to sanitize your first example?
|
Quote:
|
Unless you mean what is the difference between mysql_real_escape_string and mysql_escape_string. The difference is, the mysql_escape_string is deprecated and also mysql_real_escape_string takes a connection handler and escapes the string according to the current character set.
|
Quote:
From what I learned mysql_real_escape_string() is good enough to sanitize ANY user input. I'm just worried that mysql_real_escape_string() function only works in certain condition. Thanks |
Quote:
Code:
$variable = "I am some injected text"; 0 So if you are expecting a variable to be an integer such as a timestamp, or an ID #, pass it through intval and no matter what, it will always come out as a number. It eliminates any chance that variable has been injected with any SQL code. If you just used mysql_real_escape_string() you could still cause an error if MySQL is expecting an integer. This does not help you however when you NEED text. Then you use mysql_real_escape_string(). |
I am dealing with this right now and am tightening up the holes in my scripting. I'm using PHP to drive it and am wondering what method to use for this project, MySQLi or PDO. It's a subscription site for online ads, and uses PayPal so no SSL is needed on our end, but still important to protect the data of course! Would PDO be better suited or shall I just work out 100% sanitation methods?
|
You can eliminate most mysql injections with MySQLi's prepare method. :)
|
For a subscription site dealing with online ads and PayPal, would you recommend using MySQLi's prepare method or PDO for protecting against SQL injection, and why?
|
All times are GMT -4. The time now is 07:21 PM. |
Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2024, vBulletin Solutions, Inc.