Does the following PHP MySQL statement protect against SQL
Injection?
$strSQL =
"SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password =
'".md5($PW)."'";
The
Variables $Benutzer
and $PW
are inputs
from the User.
We're checking the username and
password against common SQL Injection
techniques:
' or 0=0 --
," or 0=0 --
,
or 0=0
,
--' or 0=0 #
,
" or 0=0 #
,or 0=0 #
,' or
,
'x'='x" or "x"="x
,
') or ('x'='x
,' or 1=1--
,
" or
,
1=1--or 1=1--
,
' or a=a--
,"
,
or "a"="a
') or ('a'='a
,") or
,
("a"="ahi" or "a"="a
,hi" or
,
1=1
--hi' or 1=1 --
,hi'
,
or 'a'='ahi') or ('a'='a
andhi")
.
or
("a"="a
Am
I missing something? Should I use a different method to protect against SQL
injection?
You may want to look into
parameterized queries for querying the database. This eliminates SQL injection
attacks.
I work primarily with postgreSQL, and
the format for doing such a query would look something like
this:
$query = 'select * from
Benutzer where Benutzername = $1 and Passwort = $2';
$params =
array($Benutzer, md5($PW));
$results = pg_query_params($query,
$params);
Most
databases have a function that will be similar to this
funationality.
I hope this helps and
good luck!
Kyle
No comments:
Post a Comment