Possible Duplicate:
Best way to prevent SQL injection in PHP?
I have been doing some research about SQL Injection but I have some questions that I couldn't find answer to. Isn't it possible to prevent SQL injection attacks on string levels? What I mean is, can't we prevent it by;
Finding illegal characters before processing them through mysql queries?
$postID = $_POST['id']; if($postID contains characters) remove characters; if($postID still contains characters) then exit; else mysql_real_escape_string($postID); //just in case? continue to do whatever you are doing...
Is it really necessary to use PDO/mysqli stuff? Is it sufficient to analyze your sql strings to be processed in mysql? Please keep in mind that I am not a PHP or MySQL expert while replying. I am someone who is trying to learn about them.
Sure, you can protect against injection with mysql_real_escape_string($postID), as long as you don't mind a query every time you call the function.
PDO and MySQLi provide a lot more than just injection protection. They allow for prepared statements that can protect agaisnt injection without multiple calls to the db. This means faster overall performance. Imagine trying to insert to a table a user record with 30 columns... that's a lot of mysql_real_escape_string() calls.
Prepared statements send all the data at once along with the query and escape it on the server in one request. Mysql DB's support prepared statments, the old php mysql_ libraries don't support them.
Time to move on to mysqli or preferrably PDO--you'll never look back.
I would encourage you to use PDO (PHP Data Objects). It will help against SQL injection and should speed up queries. Also, your application becomes more abstracted from the database.
Something like the following:
$stmt = $conn->prepare("INSERT INTO table_name VALUES(:id, :firstname, :lastname)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':firstname', $firstname);
$stmt->bindValue(':lastname', $lastname);
$stmt->execute();
If your ID it's an integer, just use
$postID = (int)$_POST['id'];
And of course, validate if $postID it's != zero after that line.
I wouldn't encourage you to use the mysql_ functions anymore because they're deprecated. Check: http://php.net/manual/en/function.mysql-real-escape-string.php for more information on why the regular mysql_ has been discontinued. You could switch to mysqli really easy. It really isn't that complicated. Plus if you want to escape characters and you don't want to be replacing every mysql_real_escape_string for the new way of escaping, you could use this function:
function mysql_string_safe($stringtoclean)
{
//In this case,
$safestring = mysqli_real_escape_string('your_handle_here',$stringtoclean);
return $safestring;
}
So then you would replace mysql_real_escape_string for mysql_string_safe. Mysqli is really similar to mysql_ but It's more secure. I've switched to it and it didn't take too long, it was easy since it was just replacing stuff. Connecting to the database is different too. On the other hand, PDO has support towards different database drivers but if you want to save time and you're not going to switch database drivers, just use mysqli.
Is it really necessary to use PDO/mysqli stuff?
No.
Is it sufficient to analyze your sql strings to be processed in mysql?
No.
Learning Material
- MySQL SQL Injection Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- How to Avoid SQL Injection Vulnerabilities
- more security cheat sheets
Coding Security Controls
Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. The OWASP Enterprise Security API (ESAPI) Toolkits help software developers guard against security‐related design and implementation flaws - https://code.google.com/p/owasp-esapi-php/
Just use PDO and prepare your statements.
来源:https://stackoverflow.com/questions/13147555/php-sql-injection-prevention-with-string-operations