Sunday, 3 April 2016

php - Protection against SQL injection





Does the following PHP MySQL statement protect against SQL Injection? 



$strSQL = "SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password = '".md5($PW)."'";


The Variables $Benutzer and $PW are inputs from the User.



We're checking the username and password against common SQL Injection techniques:





' or 0=0 --, " or 0=0 --, or 0=0
--, ' or 0=0 #, " or 0=0 #, or 0=0 #, ' or 'x'='x, " or "x"="x,
') or ('x'='x, ' or 1=1--, " or
1=1--, or 1=1--, ' or a=a--, "
or "a"="a, ') or ('a'='a, ") or
("a"="a, hi" or "a"="a, hi" or 1=1
--, hi' or 1=1 --, hi' or 'a'='a, hi') or ('a'='a and hi") or
("a"="a.





Am I missing something? Should I use a different method to protect against SQL injection?


Answer



You may want to look into parameterized queries for querying the database. This eliminates SQL injection attacks.



I work primarily with postgreSQL, and the format for doing such a query would look something like this:



$query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2';
$params = array($Benutzer, md5($PW));
$results = pg_query_params($query, $params);



Most databases have a function that will be similar to this funationality.



I hope this helps and good luck!



Kyle


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...