SQL Injection worry

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Patty
Forum Newbie
Posts: 4
Joined: Sun Sep 07, 2008 2:10 pm

SQL Injection worry

Post by Patty »

I have a form and the input that can be accepted can be up to 32 characters in length and can accept any standard keyboard character such as (%,#,!, @, {, |, +) etc. So basically, the user could type in anything they wish and it could be accepted as legitimate!

How can I safely enter this type of user input into my mySQL database without it being suseptable to attacks?
Patty
Forum Newbie
Posts: 4
Joined: Sun Sep 07, 2008 2:10 pm

Re: SQL Injection worry

Post by Patty »

As I look into this a little bit more, is the bin2hex($string) and pack("H*",bin2hex($string)) functions safe enough to use in this case?
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: SQL Injection worry

Post by jaoudestudios »

I would use mysql_real_escape_string
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: SQL Injection worry

Post by Verminox »

jaoudestudios wrote:I would use mysql_real_escape_string
:yar:

mysql_real_escape_string takes care of all special characters that might be used as tokens in your particular MySQL charset.
rabw
Forum Newbie
Posts: 18
Joined: Tue May 29, 2007 5:57 pm

Re: SQL Injection worry

Post by rabw »

I've just moved on from dabbling with php/mysql cms's/forums/mailers to writing my own php/mysql from scratch.

Would mysql_real_escape_string protect against someone inputting ";rm.......blah" etc? I've searched for regular expressions for what you should disallow, but can't seem to find anything conclusive.

Thanks
Richard

Edit: Sorry for not keeping up, I'm new to this and see that this has nothing whatsoever to do with that, so I will ask elsewhere (but thanks for the heads up on SQL Injections, is this something you should perform on any user input to an SQL db?)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: SQL Injection worry

Post by Mordred »

Apply to all input values, no matter where they come from (it may not be obvious if it is user input or not)

You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection

Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)
allicient
Forum Newbie
Posts: 9
Joined: Fri Sep 19, 2008 7:11 pm

Re: SQL Injection worry

Post by allicient »

Have you looked into using bind-variables - see PHP's PDO extension. It should store the data in binary format directly into/from the db, so no need to escape when doing db queries. Although you always have to think of XSS attacks if you're using the user supplied input further down the line.
rabw
Forum Newbie
Posts: 18
Joined: Tue May 29, 2007 5:57 pm

Re: SQL Injection worry

Post by rabw »

Mordred wrote:Apply to all input values, no matter where they come from (it may not be obvious if it is user input or not)

You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection

Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)
Thanks v much for the reply. Didn't know what the difference was between the MySQL and MySQLi PHP extensions.

Will have to go read up on XSS attacks now! Thanks again.
Post Reply