SQL Injection?

by 13 replies
16
How can I block SQL Injection into my MySQL queries?

I am new to this, and was showing a web developer pal, who just blew my mind when he used an injection.

Any help welcomed.

#programming #injection #sql
  • Stripping out apostrophes from strings before allowing them to be used in a SQL statement would be a good start.

    Personally, in my programming days I used stored procedures for everything - put all of the T-SQL code into stored procedures and then deny the web user access to INSERT/UPDATE/DELETE database tables, but GRANT access to execute the stored procedures. That way even if someone was able to hack the site and get the database username/password all they could do is execute the stored procedures.
  • Yeah for the sake of developers that come after you please don't use stored procedures.

    SQL injection is basically allowing a person to execute arbitrary code by not sanitizing their input. So, all that needs to be done is to sanitize the input (simple eh?)

    So some of the old dogs, or amateurs, will quickly jump in and go 'just use mysql_real_escape_string' - don't listen to them.

    So I present you the solution: PDO and prepared statements. Check out this tutorial, if you are serious about programming it will likely be the most important 30 minutes you use this year: Why you Should be using PHP’s PDO for Database Access | Nettuts+

    And don't feel bad, when I first found out about SQL injection my mind was blown and i was in your exact same situation.
    • [ 1 ] Thanks
  • Banned
    [DELETED]
    • [1] reply
    • This is from bobby-tables.com

      "Use parameterized SQL calls.
      That's it.

      Don't try to escape invalid characters.

      Don't try to do it yourself. Learn how to use parameterized statements.
      Always, every single time.
      The strip gets one thing crucially wrong.

      The answer is not to "sanitize your database inputs" yourself. It is prone to error."


      I always use this website because I change languages so often. It is a very good reference.
  • mysql_real_escape_string()

    is a good start
    • [ 1 ] Thanks
    • [1] reply
    • SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.
      This problem has been known for a while and PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function mysql_real_escape_string.
      What mysql_real_escape_string does is take a string that is going to be used in a MySQL query and return the same string with all SQL Injection attempts safely escaped. Basically, it will replace those troublesome quotes(') a user might enter with a MySQL-safe substitute, an escaped quote \'.
      • [1] reply
  • [DELETED]
  • which programming language do you use?
    • [1] reply
    • Python whenever possible. I tend to get drug into PHP.
  • Are you using any platform such as WordPress or any framework for coding? Or is is raw php code.

    Essentially all it is: You have to ensure any values that are passed to mysql from user input are sanitized. It varies slightly from query to query but the idea is the same.

    I am assuming your application is rather small so if you would like to provide some references I am sure we could help you out.

    Mr Alexander
  • PDO or MySQLi

    Good luck if you are using codeigniter since MySQLi is not implemented.....
  • Wow this post was from November of last year? Who dug this thing up anyway? hehe
  • //unsafe
    $users = $_POST["users_input"];



    //Safe way to do it.
    $users = mysql_real_escape_string($_POST["users_input"]);

Next Topics on Trending Feed

  • 16

    How can I block SQL Injection into my MySQL queries? I am new to this, and was showing a web developer pal, who just blew my mind when he used an injection.