All geek questions in one place

How are rows flushed for each database extension in php?

Before anyone jumps to conclusions regarding the nature of this issue, I already know about parameterized / prepared statements and use them whenever possible. Unfortunately, it is not always possible to use them when building dynamic queries.

I am interested in working with databases other than MySQL, but I cannot easily find good sources on how to avoid rows for each database extension to prevent SQL Injection .

PHP docs list the following vendor database extensions. I dare those who are most interested in me:

  • Cubid
  • Dbase
  • DB ++
  • Frontbase
  • Filepro
  • Firebird / interbase
  • Informix
  • IBM DB2
  • Ingres
  • Maxdb
  • Mongo
  • Msql
  • Msql
  • MySQL
  • Mysqli
  • Mysqlnd
  • mysqlnd_ qc
  • OCI8
  • Ovrimos SQL
  • Paradox
  • PostgreSQL
  • Sqlite
  • SQLite3
  • Sybase
  • tokyo_ tyrant

An example of a dynamic query that does not work for most parameterized statements:

"Select $col1, $col2 from $table where $col1 = ?"

After $col1 , $col2 and $table have been escaped, the statement can be used in a prepared statement.

+4
source share
6 answers

Mysql

Use mysqli_real_escape_string .

0
source

PostgreSQL and others (PDO)

PostgreSQL can use pg_escape_string to escape a string.

For PostgreSQL you do not need acceleration thanks to pg_query_params()

In addition, you must use PDO with prepared . They take care of this, and you can pass arguments separately; as with pg_query_params()

+2
source

Mongodb

In MongoDB, you do not write SQL, but work with objects ("documents") - you do not need to avoid things, since you never use strings other than data.

However, you need to make sure that you are actually passing strings, not arrays, to the MongoDB API. At least in PHP, passing an array, such as array('$ne' => 1) , will check != 1 and therefore will be just as dangerous as SQL injection. And unfortunately, PHP allows the client to create arrays inside $_POST , etc., simply by providing a field with a name using the PHP array syntax, for example password[$ne] . [A source]

+2
source

MySQL

Use mysql_real_escape_string .

0
source

OCI8

As far as I can tell:

 function oci_escape_string( $str ) { return strtr( $str, array( "'" => "''" ) ); }

Should do the trick , ignoring wildcards for LIKE statements.

0
source

Cubid

According to his guide, the CUBRID PHP API has the same syntax as MySQL, i.e. cubrid_real_escape_string . With the new release of CUBRID 8.4.0, it provides 90% compatibility with MySQL.

0
source

Source: https://habr.com/ru/post/1338955/

More articles:


All Articles