What are the best ways to protect from MySQL injection? What are weaknesses I should look out for?
I know what it is, but I really have no idea how vulnerable I might be. Though I have taken (what I think to be) steps toward protecting myself and my database.
Is there any sure-fire way of stopping someone?
BTW...I write in PHP:)
To prevent SQL Injection vulnerabilities in PHP, use PHP Data Objects (PDO) to create parametrized queries (prepared statements).
PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function, mysql_real_escape_string . mysql_real_escape_string takes a string that is going to be used in a MySQL query and return the same string with all SQL injection attempts safely escaped.
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.
Also, calling PDO::prepare() and PDOStatement::execute() helps to prevent SQL injection attacks by eliminating the need to manually quote and escape the parameters.
Use prepared statements instead of mixing the statement and the actual payload data.
see
You might also be interested in http://shiflett.org/articles/sql-injection and http://shiflett.org/blog/2007/sep/the-unexpected-sql-injection
Trust no one!
Sanitize all input -- filter_var()
or regexes or in_array()
of valid values or a mixed strategy depending on datatype.
"Input" means any source of input that you don't directly control -- not just forms!
Sanitize anything you get back from $_GET
, $_POST
, $_SESSION
, $_COOKIE
-- anything that could have any possibility of being tainted.
AND
Use prepared statements
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With