Is SQL injection possible with POST?

Question

Is SQL injection possible with POST?

Sql Injection is possible if parameters are passed via GET. But is this also possible through POST. If so, can https prevent this?

+3

php sql-injection https httpwebrequest

Rkh Jan 18 '10 at 15:44

source share

6 answers

Yes, you can enter SQL through POST. Anyone can change what sends POST requests (find the addon for firefox called "hackbar"
https , -. .

+7

Christopher Tarquini 18 . '10 15:45

.

+4

Martin Bean 18 . '10 15:46

, .

SQL- , SQL-, . , GET POST, . , , .

+2

JAL 18 . '10 15:46

, , - . , , , - - SQL-, , , .

, PHP , - Codesense mysqli wrapper. , , , , , .

SQL , SQL, .

+2

Cruachan 18 . '10 15:58

source share

https cannot protect you here. Filter input (s)

0

catsby Jan 18 '10 at 15:45

source share

Emil Vikström · Accepted Answer · 2010-01-18T15:45:20+0000

Yes, possibly with $_POST, as well as with $_GET, $_COOKIEand $_REQUEST. HTTPS will not protect you at all. You should use some function to protect you, for example mysql_real_escape_string or use prepared statements .

All messages from a web browser should be treated as "untrustworthy . " Other methods you cannot trust are Ajax, file uploadsand JavaScript form validations(among others). All of this data comes directly from a web browser and should not be trusted before you filter it or verify the data.

The only thing you can trust is $_SESSIONif you only included validated data in your variables $_SESSION.

Is SQL injection possible with POST?

More articles: