Injection can happen on any SQL statement not run properly. For example, let’s pretend your comment table has two fields, an integer ID and the comment string. So you’d INSERT as follows: INSERT INTO COMMENTS VALUES(122,’I like this website’); Consider someone entering the following comment: ‘); DELETE FROM users; — If you just put the … Read more
Yes you need to protect against this. Let me show you why, using Firefox’s developer console: If you don’t cleanse this data, your database will be destroyed. (This might not be a totally valid SQL statement, but I hope I’ve gotten my point across.) Just because you’ve limited what options are available in your dropdown … Read more
The main shortcoming of mysql_real_escape_string, or of the mysql_ extension in general, is that it is harder to apply correctly than other, more modern APIs, especially prepared statements. mysql_real_escape_string is supposed to be used in exactly one case: escaping text content that is used as a value in an SQL statement between quotes. E.g.: $value … Read more
Strictly speaking, there’s actually no escaping needed, because the parameter value is never interpolated into the query string. The way query parameters work is that the query is sent to the database server when you called prepare(), and parameter values are sent later, when you called execute(). So they are kept separate from the textual … Read more
According to Stefan Esser, “mysql_real_escape_string() [is] not safe when SET NAMES is used.” His explanation, from his blog: SET NAMES is usually used to switch the encoding from what is default to what the application needs. This is done in a way that mysql_real_escape_string doesn’t know about this. This means if you switch to some … Read more
I think the correct answer is: Don’t try to do security yourself. Use whatever trusted, industry standard library there is available for what you’re trying to do, rather than trying to do it yourself. Whatever assumptions you make about security, might be incorrect. As secure as your own approach may look (and it looks shaky … Read more
You need to use PreparedStatement. e.g. String insert = “INSERT INTO customer(name,address,email) VALUES(?, ?, ?);”; PreparedStatement ps = connection.prepareStatement(insert); ps.setString(1, name); ps.setString(2, addre); ps.setString(3, email); ResultSet rs = ps.executeQuery(); This will prevent injection attacks. The way the hacker puts it in there is if the String you are inserting has come from input somewhere – … Read more
CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query method. But ONLY when you pass the variables as binds, here’s an example: $dbResult = $this->db->query(“SELECT * FROM users WHERE username = ?”, array($this->input->post(‘username’))); Also remember that $_POST shouldn’t be preferred over $this->input->post since what it does is check if the variables exists … Read more
If you’re building SQL in your macro, it’s vulnerable to SQL injection. Even if you trust the people who will be using the thing, you should at least watch for the basics, like people trying to put single-quote and semicolon characters into database fields. this isn’t so much a security issue in your case as … Read more
An important point that I think people here are missing is that with a database that supports parameterized queries, there is no ‘escaping’ to worry about. The database engine doesn’t combine the bound variables into the SQL statement and then parse the whole thing; The bound variables are kept separate and never parsed as a … Read more