All geek questions in one place

Are input sanitization methods and parameterized queries interdependent?

I am working on updating outdated code that does not properly handle user input. The code does fulfill the minimum degree of sanitation, but does not apply to all known threats.

Our new code uses parameterized queries. As far as I understand, the requests are precompiled, and the input is processed simply as data that cannot be executed. In this case, disinfection is not required. Is it correct?

In other words, if I parameterize queries in this outdated code, is it okay to remove the sanitation that he is doing now? Or am I missing some additional sanitation advantage in addition to parameterization?

+3
source share
6 answers

It is true that SQL query parameters are good protection against SQL injection. Inline quotation marks or other special characters cannot make mistakes.

But some components of SQL queries cannot be parameterized. For instance. table names, column names, SQL keywords.

$sql = "SELECT * FROM MyTable ORDER BY {$columnname} {$ASC_or_DESC}";

So, there are some examples of dynamic content that you might need to check before interpolating into an SQL query. White values ​​are also a good technique.

, , . , SQL.

  • , . , - .

  • , ? , .

  • , , , , , , 1000, - , .

+5

SQL-, . , HTML / HTML. , , SQL-, , .

+5

, ( ). SQL.

. .

+2

, SQL , .

. , , varchar (10) , , .

+1

. , : , . . - .

+1

It is important to note that, as a secondary point, it is sometimes useful to write stored procedures that contain dynamic SQL. In this case, the fact that the inputs are parameterized is not automatic protection against SQL injection. This may seem like a pretty obvious point, but I often come across people who think that since their input parameters are parameterized, they can just stop worrying about SQL Injection.

+1
source

Source: https://habr.com/ru/post/1751800/

More articles:


All Articles