Comments on: SQL Injection Attack – Examples and Preventions in PHP

By: Picas

Picas — Tue, 18 Aug 2009 17:09:51 +0000

Can we do sql Injection if the developer use session before we login..??

By: SQL Injection Attack Examples and Preventions in PHP | Green Tea Fat Burner

SQL Injection Attack Examples and Preventions in PHP | Green Tea Fat Burner — Mon, 08 Jun 2009 01:59:11 +0000

[...] SQL Injection Attack Examples and Preventions in PHP Posted by root 3 hours ago (http://roshanbh.com.np) Sql injection attack example and preventions or prevention in php fat hobbit wrote on 26 december 2007 13 31 an easy method of preventing sql injection with php and mysql write a comment name required mail required website powered by wordpress org custom Discuss | Bury | News | SQL Injection Attack Examples and Preventions in PHP [...]

By: 7 Useful functions to tighten the security in PHP « HMV.co.in

7 Useful functions to tighten the security in PHP « HMV.co.in — Fri, 03 Oct 2008 21:11:38 +0000

[...] are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc.Let’s check few useful functions available in PHP to tighten the security in [...]

By: Gk

Gk — Fri, 29 Aug 2008 10:14:03 +0000

However, I can use some of the programs to create a packet w/o any limit of data be posted. And trust me, it’s very easy. So check on the server side is only method to defense a SQL injection attack.

By: Roshan

Roshan — Thu, 14 Aug 2008 17:57:21 +0000

@Animesh – Ya you’re a attacker can post the data from other domain as well but you can also restrict the cross domain request forgery

By: Animesh

Animesh — Thu, 14 Aug 2008 14:25:41 +0000

Hi,
Good article.

I am not sure if point #1 [ restricting the length of the fields of the html form ] is of much use, since a user can always create a query without using the form we create. I feel that server side checks are the only sure way to go, and assuming that html form based security will save us might lull some developers into a false sense of security.

By: Mark Butler

Mark Butler — Fri, 20 Jun 2008 12:47:54 +0000

We should also mention that some of the most destructive exploits can be avoided by designing applications so that the user does not have access to DDL statements like DROP, ALTER, or CREATE.

By: Useful functions to tighten the PHP security

Useful functions to tighten the PHP security — Sat, 24 May 2008 18:25:32 +0000

By: Change dropdown list (options) values from database with ajax and php

Change dropdown list (options) values from database with ajax and php — Sun, 09 Mar 2008 06:09:31 +0000

[...] instead of $country=$_GET[’country’]; in the findcity.php to prevent your site from sql injection attack. The cisco certification gives great importance to the networking administrators so that they may [...]

By: will

will — Tue, 15 Jan 2008 14:55:29 +0000

In response to Hobbit:
Prepared statements are ideal, however, only MySQL 5 and newer support them. Most LAMP environments are pre-packaged with MySQL 3.23 or 4.1, leaving much to be desired for site developers.

mysql_real_escape_string is handy, but requires you to connect to the database to clean your input.
as a result, you waste a database connection until it is actually needed.

Jay Pipes of MySQL (www.jaypipes.com) has a handy SQLConnection class which utilizes lazy loading to aid this interaction.

in a perfect environment, mysql_real_escape_string would be ideal because it takes into account the connection’s character set. in medium to large scale environments, it can be a curse because it lengthens the amount of time a connection needs to stay open with MySQL until the query is built and run. Many people choose to use php’s addslashes() in leui of this function.

By: wscoop

wscoop — Mon, 14 Jan 2008 04:57:43 +0000

Story added…

Your story was featured in wscoop! Post: http://www.wscoop.com/Build/SQL-Injection-Attack-Examples-and-Preventions-in-PHP...

By: Jim O

Jim O — Thu, 27 Dec 2007 00:02:00 +0000

It's worth noting that the mysql_query function in PHP doesn't support/allow multiple statements, so your DROP TABLE example wouldn't work anyway.

As a previous commenter said, prepared statements are a good way to avoid SQL injection, so much so that prepared statements are the only database feature that PDO will emulate if the database doesn't support them natively. PDO, ADOdb, and CpdeIgniter's database libraries all support prepared statement style syntax, and I find it a very convenient way to deal with SQL Injection.

Jim.

By: Fat Hobbit

Fat Hobbit — Wed, 26 Dec 2007 13:31:00 +0000

An easy method of preventing sql injection with php and mysql (or any database) is using prepared statements

This is also true for oracle or other databases.
I like using this technique, since i lets the database do what it's good at, while i can focus on the task at hand.