Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MySQL injection protection and vulnerability signs using PHP [duplicate]

What are the best ways to protect from MySQL injection? What are weaknesses I should look out for?

I know what it is, but I really have no idea how vulnerable I might be. Though I have taken (what I think to be) steps toward protecting myself and my database.

Is there any sure-fire way of stopping someone?

BTW...I write in PHP:)

like image 208
johnnietheblack Avatar asked Feb 13 '09 00:02

johnnietheblack


People also ask

Which option will best remediate the following PHP SQL injection vulnerability?

To prevent SQL Injection vulnerabilities in PHP, use PHP Data Objects (PDO) to create parametrized queries (prepared statements).

How safe PHP files prevent the SQL injection attacks?

PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function, mysql_real_escape_string . mysql_real_escape_string takes a string that is going to be used in a MySQL query and return the same string with all SQL injection attempts safely escaped.

What is SQL injection explain SQL injection attack with the help of PHP script?

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.

Is PDO safe from SQL injection?

Also, calling PDO::prepare() and PDOStatement::execute() helps to prevent SQL injection attacks by eliminating the need to manually quote and escape the parameters.


2 Answers

Use prepared statements instead of mixing the statement and the actual payload data.

see

  • http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
  • PDO::prepare
  • mysqli::prepare

You might also be interested in http://shiflett.org/articles/sql-injection and http://shiflett.org/blog/2007/sep/the-unexpected-sql-injection

like image 163
VolkerK Avatar answered Oct 26 '22 21:10

VolkerK


Trust no one!

Sanitize all input -- filter_var() or regexes or in_array() of valid values or a mixed strategy depending on datatype.

"Input" means any source of input that you don't directly control -- not just forms!

Sanitize anything you get back from $_GET, $_POST, $_SESSION, $_COOKIE -- anything that could have any possibility of being tainted.

AND

Use prepared statements

like image 43
PartialOrder Avatar answered Oct 26 '22 20:10

PartialOrder