Menu
Usually, I use PDO's prepared statements, type casting to (int), or PDO::quote() to prevent SQL injection. For this application, I need to modify the date using PHP before adding it to the query. Do I need to take extra steps to prevent SQL injection, or am I safe? Thanks
$date = new DateTime($_GET['suspect_user_provided_date']);
$date->add(new DateInterval('P1D'));
$sql='SELECT * FROM table WHERE date<"'.$date->format('Y-m-d').'"';
209
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.
Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host.
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
It doesn't matter if the DateTime object is safe or not. You should escape the data you are passing to the query and not to rely on the safety of the provided library. If you change the implementation, you will not need to care if the new implementation is safe or not. You should always escape. Otherwise you will try to answer - and to remember - for each function - was it safe for SQL? for HTML? for CSV? for http / mail headers? for... don't! The line of code that send a query should know nothing about the DateTime implementation and if it's safe or not
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
