Tuesday, 19 September 2017

php - Protection against SQL injection




Does the following PHP MySQL statement protect against SQL Injection? 



$strSQL = "SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password = '".md5($PW)."'";



The Variables $Benutzer and $PW are inputs from the User.



We're checking the username and password against common SQL Injection techniques:




' or 0=0 --, " or 0=0 --, or 0=0
--, ' or 0=0 #, " or 0=0 #, or 0=0 #, ' or 'x'='x, " or "x"="x,
') or ('x'='x, ' or 1=1--, " or

1=1--, or 1=1--, ' or a=a--, "
or "a"="a, ') or ('a'='a, ") or
("a"="a, hi" or "a"="a, hi" or 1=1
--, hi' or 1=1 --, hi' or 'a'='a, hi') or ('a'='a and hi") or
("a"="a.




Am I missing something? Should I use a different method to protect against SQL injection?


Answer



You may want to look into parameterized queries for querying the database. This eliminates SQL injection attacks.




I work primarily with postgreSQL, and the format for doing such a query would look something like this:



$query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2';
$params = array($Benutzer, md5($PW));
$results = pg_query_params($query, $params);


Most databases have a function that will be similar to this funationality.




I hope this helps and good luck!



Kyle


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

casting - Why wasn't Tobey Maguire in The Amazing Spider-Man? - Movies & TV

In the Spider-Man franchise, Tobey Maguire is an outstanding performer as a Spider-Man and also reprised his role in the sequels Spider-Man...