All geek questions in one place

SQL injection attack

How to protect my site from SQL injection attacks? I am using PHP and mysql. Should I change my mysql query?

For example, I have one such request:

<?php $q=$_GET["q"];// im getting the Q value from the other form,from drop down box[displaying data using Ajax $a1=$_POST['hosteladmissionno']; $a2=$_POST['student_name']; $a3=$_POST['semester']; $con = mysql_connect('localhost', 'root', ''); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("hostel", $con); $a1="SELECT hosteladmissionno,student_name,semester FROM registration WHERE mess_type ".$q."' AND status_flag=1"; $result = mysql_query($a1); if ($result === false) { die(mysql_error()); } echo "<table border='1' width=80%> <tr> <th width=5%> S.No</th> <th width=10%>H.Admin No</th> <th width=10%>Student Name</th> <th width=5%>No of Days</th> </tr>"; $i=0; while($row = mysql_fetch_array($result)) { $i=$i+1; echo "<tr>"; echo "<td align=center>" .$i."</td>"; echo "<td size=10 align=center>" . $row['hosteladmissionno'] . "</td>"; echo "<td size=35 align=center>" . $row['student_name'] . "</td>"; echo "<td align=center> <input type='text' name='days' size=2> </td> "; echo "</tr>"; } echo "</table>"; mysql_close($con); ?>

Do I need to include any changes to my request to avoid injection attacks? Any suggestion would be helpful. Thanks in advance. Hooray!

+5
source share
6 answers

Your request will appear (EDIT: appeared, in the first version of the request), completely static - that is, it does not use the data provided by the user. In this case, there is no risk of SQL injection.

SQL injection attacks include entering user data and including it directly in a SQL query instead of the preferred method of using a parameterized SQL statement, including the values ​​provided by the user. (I don’t know the details of how this is done in PHP ... I certainly hope this is possible.)

EDIT: Ok, now you have changed your code, including:

 $a1="SELECT hosteladmissionno,student_name,semester FROM registration WHERE mess_type ".$q."' AND status_flag=1";

Where $q is retrieved from the text box. Now I assume that you really meant the second line:

 WHERE mess_type='".$q."' AND status_flag=1";

But it is still vulnerable to SQL injection attack. Suppose q is:

 ' OR 'x'='x

As a result, your SQL statement will end as

 SELECT hosteladmissionno,student_name,semester FROM registration WHERE mess_type='' OR 'x'='x' AND status_flag=1

which is clearly not the logic you are following.

You must use the parameters for the values ​​as shown on this page in the prepared PHP page .

+3
source

SQL Injection attacks occur when you take data from a user and use it in a query without taking steps to prevent it from making the expected changes to the query.

Since you are not using any variables at all in this query, you cannot do this, therefore it is safe.

See http://bobby-tables.com/ for more details.

+2
source

I was given advice to use prepared statements. In practice, this is easily achieved using one of the excellent database abstraction layers:

0
source

Put this over your mysql_selected_database part of your script

 $qtitle = addcslashes(mysql_real_escape_string($cleantitle),'%_');

Where $ cleantitle is the original value that you retrieve from the form.

If you use forms that ..

0
source

According to Wikipedia (God bless Google):

SQL injection is a code injection technique that exploits a security vulnerability that occurs in the application database tier. the vulnerability is present when user input is either incorrectly filtered for character characters of a string literal embedded in SQL statements or user input is not strongly typed and thereby is unexpectedly executed. it is an instance of a more general class of vulnerability that can occur whenever a programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insert attacks.

http://en.wikipedia.org/wiki/SQL_injection

0
source

although your query is quite safe, but if you are still suspicious, type in (int) (php way) or CAST (mysql way) with the name of the field, which is an integer type in your table, etc.

0
source

Source: https://habr.com/ru/post/1345660/

More articles:


All Articles