Menu
Does the following PHP MySQL statement protect against SQL Injection?
$strSQL = "SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password = '".md5($PW)."'";
The Variables $Benutzer and $PW are inputs from the User.
We're checking the username and password against common SQL Injection techniques:
' or 0=0 --," or 0=0 --,or 0=0 --,' or 0=0 #," or 0=0 #,or 0=0 #,' or 'x'='x," or "x"="x,') or ('x'='x,' or 1=1--," or 1=1--,or 1=1--,' or a=a--," or "a"="a,') or ('a'='a,") or ("a"="a,hi" or "a"="a,hi" or 1=1 --,hi' or 1=1 --,hi' or 'a'='a,hi') or ('a'='aandhi") or ("a"="a.
Am I missing something? Should I use a different method to protect against SQL injection?
525
You should always use parameterized statements where available, they are your number one protection against SQL injection. You can see more examples of parameterized statements in various languages in the code samples below.
How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly.
SQL Injection is a code injection technique that hackers can use to insert malicious SQL statements into input fields for execution by the underlying SQL database. This technique is made possible because of improper coding of vulnerable web applications.
You may want to look into parameterized queries for querying the database. This eliminates SQL injection attacks.
I work primarily with postgreSQL, and the format for doing such a query would look something like this:
$query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2';
$params = array($Benutzer, md5($PW));
$results = pg_query_params($query, $params);
Most databases have a function that will be similar to this funationality.
I hope this helps and good luck!
Kyle
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
