Results 1 to 5 of 5
  1. #1
    Join Date
    Jul 2009
    Posts
    56

    Unanswered: SQL Injection Prevention

    I understand that the best way to prevent SQL Injection is to use server side Prepared Statements (Parameterized Queries) and input validation on the client.

    This seems to be necessary for INSERT, UPDATE and REPLACE statements only, since they change the database.

    Can someone point me to some good examples for Prepared Statements for PHP / MySQL on Apache?

    What is the performance impact of Prepared Statements ?

    Thanks,
    David

  2. #2
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    Incorrect. Even SELECT statements can be used for SQL Injection. The idea is that an SQL transaction is hidden in the SELECT statement.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  3. #3
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    input validation at the client yes, input validation at the server definately
    make use of the inbuilt PHP functions such as mysql_real_escape_string

    don't trust anything from outside the system (any user input)
    don't trust anything that may be stored on or modified on the remote system (eg cookies, POST,GET or other variables)

    in essence this is to big a topic for a site such as this, in part because we don't seem to get much activity on the PHP forums these days. so I'd suggest you find a site which specialises in PHP

    you may also want to look at
    mysql_client_encoding() - Returns the name of the character set
    addslashes() - Quote string with slashes
    stripslashes() - Un-quotes a quoted string
    The magic_quotes_gpc directive
    The magic_quotes_runtime directive
    I'd rather be riding on the Tiger 800 or the Norton

  4. #4
    Join Date
    Jul 2009
    Posts
    56
    Thanks a lot for your replies.
    No SQL statements come directly from the client in my application.
    The client sends parameter values or JSON objects (as strings) to PHP.
    PHP stores all SQL statements in an include-directory that is only accessible locally on the server.

    So when I validate on the client AND on the server with:
    1. erasing suspicious keywords (can anyone point to a list?)
    2. erasing suspicious characters (can anyone point to a list?)
    3. then escaping with mysqli_real_escape_string
    4. then using the validated parameters in Prepared Statements (Parameterized Queries)
    5. data transfer between client and PHP only over secure SSL protocol.


    I should be on the safe side,

    right?


    David
    Last edited by vivoices; 06-24-10 at 13:57.

  5. #5
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    PHP is designed to be aware of prblems of SQL injection attacks, providing the developer uses the appropriate functions that shoudl stop soemone tagging the payload on the back of the SQL query.

    providing you make certain that the SQL sent to teh server is what you expect then there shouldnt' be an issue

    as others have said
    injection attacks are an attemtp by a scumbag to tack on another bit of SQL on the back of what you intended.
    usually thats trying to get usernames & passwords.

    as said before this isn't 'the' forum for PHP...... the google reference to the PHP site should help discovering what you need to know
    I'd rather be riding on the Tiger 800 or the Norton

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •