All geek questions in one place

How can I prevent second order SQL attacks?

I use PHP PDO for my queries everywhere, but I read that in very rare cases there can still be "second order injections" where an unsafe variable is stored and then executed when used in another statement.

Ready-made applications still protect against this? As long as I make sure I always use them? Or should I take extra precautions? Am I still vulnerable to XSS attacks?

I also have a few more questions, just out of curiosity, if you don't mind:

  • Is it possible to have an SQL injection with only alphanumeric characters, spaces and one dash? Like select * from something where name='$some_variable' . All the examples I've seen seem to require other characters, such as semicolons, quotation marks, or double dashes.

  • I read many SQL examples in which an unsafe variable can be set to form another statement, for example

     $foo = "foo'); INSERT INTO users (name) VALUES ('hi"; $bar = ("INSERT INTO users (name) VALUES ('$foo')");

But I just tested and mysql_query did not even allow multiple statements. I know that you still have injections in 1 instruction, but can I confirm that you will not have problems with multiple statements in PHP?

+4
source share
2 answers

Not to beat a dead (or is it very living?) Horse, but ...

Injection can occur only when the data is read by the SQL machine in the form of commands. In a very simple case, if you allow characters without " in your data, and your data is encapsulated with characters " in SQL, they activated the SQL injection attack.

The key to preventing any SQL injection is to correctly check and delete incoming data EVERY time when it is included in the SQL statement. An easy way to do this is to simply use prepared statements that will take care of this for you, allowing you to safely pass parameters to the SQL statement.

Each database library has its own way of escaping or using prepared statements. In MySQL and PHP, you have mysqli_real_escape_string() , which should be used EVERY TIME PERIOD when you use the mysqli library.

The PDO library has its own path, but if I remember correctly, the prepared statements were a large part of the PDO - use them in 100% of cases, and you will be fine in this.

+3
source

To prevent repeated XSS attacks, use HTML Purifier and never strip_tags (), see the links below for more information, the instructions prepared by PDO should be good for preventing SQL Injection:

http://www.reddit.com/r/PHP/comments/nj5t0/what_everyone_should_know_about_strip_tags/

http://htmlpurifier.org/

0
source

Source: https://habr.com/ru/post/1402947/

More articles:


All Articles