473,671 Members | 2,557 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Preventing SQL injection attacks



Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.
Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
www.lucas-smith.co.uk

Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390

& Webmaster, SPRI
Scott Polar Research Institute, University of Cambridge
Jul 16 '05 #1
2 9131
Martin Lucas-Smith wrote:

Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.


The php manual actually has a section that talks about this a bit:

http://www.php.net/manual/en/security.database.php

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Jul 16 '05 #2
On Mon, 18 Aug 2003 13:33:10 +0100, Martin Lucas-Smith <mv***@cam.ac.u k> wrote:
Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.


Using what database?

Any database with a moderately well designed interface supports placeholders
(a.k.a. bind variables). These separate the text of the SQL from the values you
wish to use within the statement. Using placeholders eliminates the possibility
of SQL injection attacks, as your values are never interpreted as SQL.

e.g.

INSERT INTO wherever (col1, col2) values (?, ?)

You'd 'prepare' this statement - the database parses the SQL, and discovers
two placeholders where values need to go.

You then 'bind' two values to it - the values you want are associated with the
placeholders. No need to think about quoting, or 'special' characters, it's
just data, not SQL.

Then 'execute' it - the statement runs, it has the necessary data from the
bind step, and it's done.

Constants are OK in SQL, but variable data shouldn't be present in an SQL
statement; anything that's variable should be a placeholder.
Unfortunately MySQL, commonly used with PHP, forces you to intermingle SQL
with data.

e.g.

INSERT INTO wherever (col1, col2) values ('$x1', '$x2')

So, you then need to start worrying about whether $x1 and $x2 contain single
quotes or null characters.

If $x1='a', and $x2 contained:

'); DELETE from wherever;

Then because of the further design flaw in the PHP/MySQL extension which lets
it exeute multiple statements with a single call to mysql_query(), it actually
ends up executing:

INSERT INTO wherever (col1, col2) values ('a', ''); DELETE FROM wherever; )

Which runs the insert, runs the delete, then ends in a syntax error, but the
prior statements have already run. Your data is now gone.

You need to escape single quotes and null values in data if you're passing it
to MySQL. Use addslashes() or mysql_escape_st ring(), and use it exactly once,
else you end up with escaped slashes in your database. PHP has the
'magic_quotes' options that escape values coming from forms, which can often be
the cause of double-escaping.

After escaping, you'd get:

INSERT INTO wherever (col1, col2) values ('a', '\'); DELETE FROM wherever; )')

Which is valid single insert.

For numbers, you don't want to quote them, so ensure they are actually numeric
before passing them into the SQL, with is_numeric().

Or use a database abstraction layer that emulates placeholders for you, if
your database doesn't support them natively, such as Pear DB. Or roll your own;
you can knock something up with sprintf, and wrap it around your database
calls.

--
Andy Hassall (an**@andyh.co. uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)
Jul 16 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
2
1969
SQL injection attacks
by: freddy | last post by:
I would like to get more information on securing my windows apps from SQL injection attacks. There is so much stuff on web apps, but I can't find info on win apps. Can you help me
C# / C Sharp
4
1650
SQL Injection Attacks
by: poppy | last post by:
I think a site I developed has been the victim of a sql injection attack.I know how to stop this happening in future but: Is there any way I can trace such an attack?
ASP.NET
9
2059
Protecting SQL injection attacks (text input functino)
by: Darrel | last post by:
I'm learning a bit about the SWL injection issues and want to write a shared class that I can call from anywhere in my project to 'sanitize' any incoming text from textfields before sending to the DB. Is it enough to simply escape single quotes as two single quotes? Ie, replace ' with ''? Or should I also be checking for things like brackets, parenthesis and SQL command words (INSERT, UPDATE, DELETE, etc.)? And...maybe a dumb question,...
ASP.NET
5
2339
Injection Attack
by: TCORDON | last post by:
What is the best way to protect a site against it? Does anyone have a RegEx to help validate user input? TIA!
ASP.NET
5
2133
solution for preventing injection attacks
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already implemented somewhere... Lets say you could have a format string such as in printf $format=" SELECT %s FROM %s WHERE id='%s' "; $fieldname="last_name"; $tablename="personel";
PHP
10
23901
Preventing form injection on Classic ASP pages
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages. Thanks.
ASP / Active Server Pages
4
1375
Preventing SQL Injection attacks
by: Kevin Audleman | last post by:
My site has come under attack from sql injections. I thought I had things handled by replacing all single quotes with two single quotes, aka Replace(inputString, "'", "''") Alas, clever hackers have still managed to find a way to drop columns from some of my tables. Can anybody direct me towards a best practice document on preventing these attacks?
Microsoft SQL Server
29
2107
IIS SQL Injection woes...
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL Injection is is a generic enough of an attack to cause me worries once I make the
C# / C Sharp
2
4315
How can SQL injection attacks compromise ADODB Connections?
by: Jerry Winston | last post by:
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields: set commandObj = Server.CreateObject("ADODB.Connection") set rs = Server.CreateObject("ADODB.Recordset") commandObj.ConnectionString = myGenericConnectionString commandObj.Open sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' , " &...
ASP / Active Server Pages
0
8483
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
1
8605
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8676
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7445
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
5703
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4227
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4416
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2819
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
2062
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us