As polite as I can possibly say it... You are an idiot! PHP/SQL works exactly as it should. It is the incompetent and inexperienced programmers that create these security holes.
This isn't only a PHP issue, or a particular database issue, but every language and every database is vulnerable, as well as other storage technologies like XML/XPath.
Magic quotes and strip slashes can help mitigate the risk, but using parametrized queries will stop every way of injecting. I would re-write the code to:
$query= "select * from users where username=?"; //query definition $preparedStatement=$database_connection()->prepare($query); //prepare the statement mysqli_stmt_bind_param($preparedStatement, 's', $field1); //prepare to bind a Strings (the s) $field1 = $name; //you may want to do more input checking here! mysqli_stmt_execute($preparedStatement); //execute the parametrized query
I have a very in depth article on the same https://www.golemtechnologies.com/articles/prevent-sql-injection-attacks
As per my knowledge every programming language faces such kind of attacks..but the major thing is as php is a loosly typed language..so the attacking is some what severe...but as the new versions are keep on releasing all the flaws are being overcome in the lastest versions..As i have written something about SQL Injections in my blog also with some extra information..can find here..http://phphunger.blogspot.in/2012/06/how-to-prevent-php-code-from-sql.html
Perhaps it's also a good tip to use prepared statements, that prevents SQL Injection, too.
ReplyDeleteGreat to see you're checking for “get_magic_quotes_gpc()”. I sometimes tend to forget that while it can be quite important.
ReplyDeleteDon't forget that SQL injection doesn't just cover MySQL, it's something that can occur on usage of any database server.
I think these is best for Prevent SQL Injection
ReplyDeletefunction makeEncode($sql)
{
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|like|show tables|\'|'\| |=|-|;|,|\|'||#|\*|--|\\\\)/"), "" ,$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = (get_magic_quotes_gpc()) ? stripslashes($sql) : mysql_real_escape_string($sql);
$sql = htmlentities($sql);
return $sql;
}
[...] How To Prevent PHP Website From SQL Injection [...]
ReplyDelete[...] How To Prevent PHP Website From SQL Injection [...]
ReplyDelete[...] http://www.anil2u.info/2010/04/12/how-to-prevent-php-website-from-sql-injection/ [...]
ReplyDelete>SQL injection is another vulnerability of PHP.
ReplyDeleteAs polite as I can possibly say it... You are an idiot! PHP/SQL works exactly as it should. It is the incompetent and inexperienced programmers that create these security holes.
This isn't only a PHP issue, or a particular database issue, but every language and every database is vulnerable, as well as other storage technologies like XML/XPath.
ReplyDeleteMagic quotes and strip slashes can help mitigate the risk, but using parametrized queries will stop every way of injecting. I would re-write the code to:
$query= "select * from users where username=?"; //query definition
$preparedStatement=$database_connection()->prepare($query); //prepare the statement
mysqli_stmt_bind_param($preparedStatement, 's', $field1); //prepare to bind a Strings (the s)
$field1 = $name; //you may want to do more input checking here!
mysqli_stmt_execute($preparedStatement); //execute the parametrized query
I have a very in depth article on the same
https://www.golemtechnologies.com/articles/prevent-sql-injection-attacks
As per my knowledge every programming language faces such kind of attacks..but the major thing is as php is a loosly typed language..so the attacking is some what severe...but as the new versions are keep on releasing all the flaws are being overcome in the lastest versions..As i have written something about SQL Injections in my blog also with some extra information..can find here..http://phphunger.blogspot.in/2012/06/how-to-prevent-php-code-from-sql.html
ReplyDelete