SQL injections in ADOdb and general website security

by

SQL injection attacks happen when user input is improperly encoded. Typically, the user input is some data the user sends with her query, i.e. values in the $_GET, $_POST, $_COOKIE, $_REQUEST, or $_SERVER arrays. However, user input can also come from a variety of other sources, like sockets, remote websites, files, etc.. Therefore, you should really treat everything but constants (like 'foobar') as user input.

In the code you posted, mysql_real_escape_string is used to encode(=escape) user inputs. The code is therefore correct, i.e. does not allow any SQL injection attacks.

Note that it’s very easy to forget the call to mysql_real_escape_string – and one time is enough for a skilled attacker! Therefore, you may want to use the modern PDO with prepared statements instead of adodb.

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  4. Reference: What is a perfect code sample using the MySQL extension? [closed]
  5. Why is using a mysql prepared statement more secure than using the common escape functions?
  6. how safe are PDO prepared statements
  7. How can I sanitize user input with PHP?
  8. Are PDO prepared statements sufficient to prevent SQL injection?
  9. The ultimate clean/secure function
  10. How to create a secure mysql prepared statement in php?
  11. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  12. When should I use prepared statements?
  13. How do I use password hashing with PDO to make my code more secure? [closed]
  14. Examples of SQL Injections through addslashes()?
  15. Is mysql_real_escape_string() broken?
  16. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  17. How to best store user information and user login and password
  18. Shortcomings of mysql_real_escape_string?
  19. Do I have to guard against SQL injection if I used a dropdown?
  20. “slash before every quote” problem [duplicate]
  21. Hiding true database object ID in url’s
  22. MySQL Prepared Statements
  23. a better approach than storing mysql password in plain text in config file?
  24. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  25. What does mysql_real_escape_string() do that addslashes() doesn’t?
  26. Best way to connect to MySQL with PHP securely [duplicate]
  27. Do I have to use mysql_real_escape_string if I bind parameters?
  28. Is mysql_real_escape_string enough to Anti SQL Injection?
  29. Improve password hashing with a random salt
  30. What is the PDO equivalent of function mysql_real_escape_string?

Leave a Comment