Jump to content

possible mySQL injection vulnerability?

kalster

By kalster
in MySQL Help

 Share

Recommended Posts

kalster Member

kalster

Posted
Posted

Does this code have mySQL Injection vulnerability?

$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";

using php5, would this make the code more safe...

foreach($array as $key=>$a){
$array[$key] = mysql_real_escape_string($a);} 
$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";

or is there another way to make the code safe?

Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

all external data - $_GET, $_POST, $_COOKIE, $_REQUEST (don't use $_REQUEST anyways), $_FILES, and some $_SERVER/$_ENV can be anything that anyone want's to submit to your script. if you are putting any external data values into a sql query statement, they must be treated appropriately to prevent sql injection. this means to escape string data and properly validate/cast numerical data OR use prepared queries.

 

also, internal data that could ever contain any sql special characters must likewise be treated appropriately to prevent sql errors.

 

i notice that you have variables for a table name and column name in your query. hopefully, you are not getting these from external, user submitted data, because using a database escape function on table/column names won't prevent sql injection and you cannot supply table/column names through place holders using prepared queries.

 

lastly, the mysql_ functions are OBSOLETE and should not be used when writing new code and if you have old code using them, now is the time to start converting your code to use either the PDO or msyqli_ database functions so that your code will continue to work when the mysql_ functions get removed from the php language.

  • Like 1
Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted
mysqli is safe

 

 

safety is not in which functions you use, it is how you use them. you can write code that uses either the mysqli or pdo functions and it can still allow sql injection.

 

the reason that PDO gets recommend over mysqli is that the mysqli library is not consistent and is a PITA to use with dynamically prepared queries.

Link to comment
Share on other sites
  • 4 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.