Menu
I'm passing some simple user data into a mysql database.
PHP's urlencode() Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits.
I'm not worried about the spaces turning into plus's, or other formatting issues. Neither am I worried about XSS and other HTML hacks.
I believe I should be safe from ' and ) style attacks.
QUESTION: Are there other kinds of sql attacks that could be used with - or _ or . ?
EXAMPLE:
mysql_query("UPDATE cars SET color = '".urlencode($c)."' WHERE garage = 29");
Thankyou in advance
821
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
And it is easy to find and almost as easy to avoid. Why is SQL injection still with us? It all comes down to a lack of understanding about how SQLi vulnerabilities work. The problem is that Web developers tend to think that database queries are coming from a trusted source, namely the database server itself.
The severity of SQL Injection attacks is limited by the attacker's skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.
urlencode() has nothing to do with SQL, so it does as much to prevent SQL injection as kerosene does to make your burgers more delicious. Besides, everything that enters your database will end up URL encoded, which you then have to decode if you want to do anything useful with them after retrieving the database.
Escaping your queries, on the other hand, helps your application to guard against SQL injection, and nothing more. It does not modify the data you enter into your queries; it only protects your queries from being tampered with. That's the idea of SQL injection, and it's also why URL encoding your data doesn't do anything to protect against it. Granted, it does turn your apostrophes ' into %27, rendering them harmless, but as mentioned in the above paragraph, you'll have to URL decode them back into apostrophes in order to use them.
Use the right tool for the right purpose. Especially in the year 2011, you should be using prepared statements instead of manually escaping your query variables and concatenating strings to form queries.
187
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
