Sunday, 21 April 2019

php - Protection against SQL injection




Does the following PHP MySQL statement protect against SQL Injection? 



$strSQL = "SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password = '".md5($PW)."'";



The Variables $Benutzer and $PW are inputs from the User.



We're checking the username and password against common SQL Injection techniques:




' or 0=0 --, " or 0=0 --, or 0=0
--, ' or 0=0 #, " or 0=0 #, or 0=0 #, ' or 'x'='x, " or "x"="x,
') or ('x'='x, ' or 1=1--, " or
1=1--, or 1=1--, ' or a=a--, "

or "a"="a, ') or ('a'='a, ") or
("a"="a, hi" or "a"="a, hi" or 1=1
--, hi' or 1=1 --, hi' or 'a'='a, hi') or ('a'='a and hi") or
("a"="a.




Am I missing something? Should I use a different method to protect against SQL injection?


Answer



You may want to look into parameterized queries for querying the database. This eliminates SQL injection attacks.




I work primarily with postgreSQL, and the format for doing such a query would look something like this:



$query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2';
$params = array($Benutzer, md5($PW));
$results = pg_query_params($query, $params);


Most databases have a function that will be similar to this funationality.



I hope this helps and good luck!




Kyle


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...