How can I stop PHP from using SQL injection?

Question

How can I stop PHP from using SQL injection?

SSC Enthusiast

Points: 126

September 9, 2022 at 8:02 am

The program becomes vulnerable to SQL injection if user input is added to a SQL query without change, as in the example below:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO table (column) VALUES ('$unsafe_variable')");
That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

What steps may be taken to stop this from occurring?

September 12, 2022 at 10:14 am

This was removed by the editor as SPAM
September 12, 2022 at 10:15 am

This was removed by the editor as SPAM
September 12, 2022 at 10:21 am

This was removed by the editor as SPAM
September 13, 2022 at 10:36 pm

This was removed by the editor as SPAM

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply

Johan Bijnens SSC Guru Points: 135369 More actions · Answer 1

do not allow for dynamic sql to be used.

Provide the needed stored procedures that accept all input parameters and only grant the application account execute authority for the sprocs.

Johan

Learn to play, play to learn !

Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:

- How to post Performance Problems
- How to post data/code to get the best help[/url]

- How to prevent a sore throat after hours of presenting ppt

press F1 for solution, press shift+F1 for urgent solution 😀

Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me

Eirikur Eiriksson SSC Guru Points: 182911 More actions · Answer 2

techvishal11 wrote:

The program becomes vulnerable to SQL injection if user input is added to a SQL query without change, as in the example below:
$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO table (column) VALUES ('$unsafe_variable')"); That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')
What steps may be taken to stop this from occurring?

What I normally do is to use sys.dm_exec_describe_first_result_set to evaluate if the query returns a valid result set description and if it doesn't, then discard it.

😎

For multi-statement entries, chop it by the first statement delimiter and always discard the rest!

One other thing to look out for is when statements are passed as hex strings, might need an extra step as naive pattern matching will not catch statement separators!