Skip to main content

Return to Answer

Commonmark migration
Source Link
Community Bot
Community Bot
  • 1
  • 1

###Update

Update

###Update

Update

added 294 characters in body
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354

Every answer here covers only part of the problem. In fact, there are four different query parts which we can add to itSQL dynamically: -

  • a string
  • a number
  • an identifier
  • a syntax keyword.
$orders  = array("name", "price", "qty"); // Field names
$key     = array_search($_GET['sort'], $orders)); // See if we have such a name
$orderby = $orders[$key]; // If not, first one will be set automatically. smart
$query enuf= :"SELECT * FROM `table` ORDER BY $orderby"; // Value is safe

To ease the process I wrote a whitelist helper function that does all the job in one line:

$orderby = white_list($_GET['orderby'], "name", ["name","price","qty"], "Invalid field name");
$query   = "SELECT * FROM `table` ORDER BY $orderby";`$orderby`"; // Valuesound isand safe

However, thereThere is another way to secure identifiers - escaping but I rather stick to whitelisting as a more robust and explicit approach. AsYet as long as you have an identifier quoted, you can escape backticks inside by doubling them.

As a further step, we can borrow a truly brilliant idea of using some placeholder (a proxy to represent the actual value in the query) from the prepared statements and invent a placeholder of another type - an identifier placeholder.

So,quote character to make the long story short: it's a placeholderit safe. For example, notby default for mysql you have to prepared statement can be considered as a silver bulletdouble the quote character to escape it.

So, a general recommendation may For other other DBMS escaping rules would be phrased as As long as you are adding dynamic parts to the query using placeholders (and these placeholders properly processed of course), you can be sure that your query is safedifferent.

So, a general recommendation may be phrased as

  • Any variable that represents an SQL data literal, (or, to put it simply - an SQL string, or a number) must be added through a prepared statement. No Exceptions.
  • Any other query part, such as an SQL keyword, a table or a field name, or an operator - must be filtered through a white list.

###Update

So, unlike whatever "escaping", prepared statements is the measure that indeed protects from SQL injection (when applicable).

If you're still not convinced, here are a step-by-step explanation I wrote, The Hitchhiker's Guide to SQL Injection prevention, where I explained all these matters in detail and even compiled a section entirely dedicated to bad practices and their disclosure.

Every answer here covers only part of the problem. In fact, there are four different query parts which we can add to it dynamically: -

  • a string
  • a number
  • an identifier
  • a syntax keyword.
$orders  = array("name", "price", "qty"); // Field names
$key     = array_search($_GET['sort'], $orders)); // See if we have such a name
$orderby = $orders[$key]; // If not, first one will be set automatically. smart enuf :)
$query   = "SELECT * FROM `table` ORDER BY $orderby"; // Value is safe

However, there is another way to secure identifiers - escaping. As long as you have an identifier quoted, you can escape backticks inside by doubling them.

As a further step, we can borrow a truly brilliant idea of using some placeholder (a proxy to represent the actual value in the query) from the prepared statements and invent a placeholder of another type - an identifier placeholder.

So, to make the long story short: it's a placeholder, not prepared statement can be considered as a silver bullet.

So, a general recommendation may be phrased as As long as you are adding dynamic parts to the query using placeholders (and these placeholders properly processed of course), you can be sure that your query is safe.

###Update

So, unlike whatever "escaping", prepared statements is the measure that indeed protects from SQL injection (when applicable).

If you're still not convinced, here are a step-by-step explanation I wrote, The Hitchhiker's Guide to SQL Injection prevention, where I explained all these matters in detail and even compiled a section entirely dedicated to bad practices and their disclosure.

Every answer here covers only part of the problem. In fact, there are four different query parts which we can add to SQL dynamically: -

  • a string
  • a number
  • an identifier
  • a syntax keyword
$orders  = array("name", "price", "qty"); // Field names
$key = array_search($_GET['sort'], $orders)); // if we have such a name
$orderby = $orders[$key]; // If not, first one will be set automatically. 
$query = "SELECT * FROM `table` ORDER BY $orderby"; // Value is safe

To ease the process I wrote a whitelist helper function that does all the job in one line:

$orderby = white_list($_GET['orderby'], "name", ["name","price","qty"], "Invalid field name");
$query  = "SELECT * FROM `table` ORDER BY `$orderby`"; // sound and safe

There is another way to secure identifiers - escaping but I rather stick to whitelisting as a more robust and explicit approach. Yet as long as you have an identifier quoted, you can escape the quote character to make it safe. For example, by default for mysql you have to double the quote character to escape it. For other other DBMS escaping rules would be different.

So, a general recommendation may be phrased as

  • Any variable that represents an SQL data literal, (or, to put it simply - an SQL string, or a number) must be added through a prepared statement. No Exceptions.
  • Any other query part, such as an SQL keyword, a table or a field name, or an operator - must be filtered through a white list.

###Update

So, unlike whatever "escaping", prepared statements is the measure that indeed protects from SQL injection (when applicable).

corrected spelling, fixed grammer.
Source Link
Sayed Mohd Ali
Sayed Mohd Ali
  • 2.2k
  • 3
  • 13
  • 31

Every answer here covers only part of the problem. In fact, there are four different query parts which we can add to it dynamically: -

And prepared statements coverscover only two of them.

Or there is a slightly better answer that suggests just another method of string formatting and even boasts it as the ultimate panacea. While of course, it is not. This method is no better than regular string formatting, yet it keeps all its drawbacks: it is applicable to strings only and, aslike any other manual formatting, it's essentially optional, non-obligatory measure, prone to human error of any sort.

If you're still not convinced, here isare a step-by-step explanation I wrote, The Hitchhiker's Guide to SQL Injection prevention, where I explained all these matters in detail and even compiled a section entirely dedicated to bad practices and their disclosure.

Every answer here covers only part of the problem. In fact, there are four different query parts which we can add to it dynamically:

And prepared statements covers only two of them.

Or there is a slightly better answer that suggests just another method of string formatting and even boasts it as the ultimate panacea. While of course, it is not. This method is no better than regular string formatting, yet it keeps all its drawbacks: it is applicable to strings only and, as any other manual formatting, it's essentially optional, non-obligatory measure, prone to human error of any sort.

If you're still not convinced, here is a step-by-step explanation I wrote, The Hitchhiker's Guide to SQL Injection prevention, where I explained all these matters in detail and even compiled a section entirely dedicated to bad practices and their disclosure.

Every answer here covers only part of the problem. In fact, there are four different query parts which we can add to it dynamically: -

And prepared statements cover only two of them.

Or there is a slightly better answer that suggests just another method of string formatting and even boasts it as the ultimate panacea. While of course, it is not. This method is no better than regular string formatting, yet it keeps all its drawbacks: it is applicable to strings only and, like any other manual formatting, it's essentially optional, non-obligatory measure, prone to human error of any sort.

If you're still not convinced, here are a step-by-step explanation I wrote, The Hitchhiker's Guide to SQL Injection prevention, where I explained all these matters in detail and even compiled a section entirely dedicated to bad practices and their disclosure.

Active reading - but more work is needed near "can be considered as a".
Source Link
Peter Mortensen
Peter Mortensen
  • 31.3k
  • 22
  • 109
  • 132
improved syntax
Source Link
Farzad Karimi
Farzad Karimi
  • 770
  • 1
  • 13
  • 33
Post Made Community Wiki by animuson
replaced http://stackoverflow.com/ with https://stackoverflow.com/
Source Link
URL Rewriter Bot
URL Rewriter Bot
Made minor fixes to grammar
Source Link
bwegs
bwegs
  • 3.8k
  • 2
  • 32
  • 34
added 1 character in body
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354
added 153 characters in body
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354
added 3124 characters in body
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354