kalster Posted November 2, 2014 Share Posted November 2, 2014 Does this code have mySQL Injection vulnerability? $query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')"; using php5, would this make the code more safe... foreach($array as $key=>$a){ $array[$key] = mysql_real_escape_string($a);} $query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')"; or is there another way to make the code safe? Quote Link to comment https://forums.phpfreaks.com/topic/292224-possible-mysql-injection-vulnerability/ Share on other sites More sharing options...
mac_gyver Posted November 2, 2014 Share Posted November 2, 2014 all external data - $_GET, $_POST, $_COOKIE, $_REQUEST (don't use $_REQUEST anyways), $_FILES, and some $_SERVER/$_ENV can be anything that anyone want's to submit to your script. if you are putting any external data values into a sql query statement, they must be treated appropriately to prevent sql injection. this means to escape string data and properly validate/cast numerical data OR use prepared queries. also, internal data that could ever contain any sql special characters must likewise be treated appropriately to prevent sql errors. i notice that you have variables for a table name and column name in your query. hopefully, you are not getting these from external, user submitted data, because using a database escape function on table/column names won't prevent sql injection and you cannot supply table/column names through place holders using prepared queries. lastly, the mysql_ functions are OBSOLETE and should not be used when writing new code and if you have old code using them, now is the time to start converting your code to use either the PDO or msyqli_ database functions so that your code will continue to work when the mysql_ functions get removed from the php language. 1 Quote Link to comment https://forums.phpfreaks.com/topic/292224-possible-mysql-injection-vulnerability/#findComment-1495507 Share on other sites More sharing options...
Stefany93 Posted November 2, 2014 Share Posted November 2, 2014 Yup, you'd be better off using PDO as the colleague above noted. It is way safer and modern. Quote Link to comment https://forums.phpfreaks.com/topic/292224-possible-mysql-injection-vulnerability/#findComment-1495526 Share on other sites More sharing options...
kalster Posted November 2, 2014 Author Share Posted November 2, 2014 yes but mysqli is safe and modern to. Quote Link to comment https://forums.phpfreaks.com/topic/292224-possible-mysql-injection-vulnerability/#findComment-1495557 Share on other sites More sharing options...
mac_gyver Posted November 2, 2014 Share Posted November 2, 2014 mysqli is safe safety is not in which functions you use, it is how you use them. you can write code that uses either the mysqli or pdo functions and it can still allow sql injection. the reason that PDO gets recommend over mysqli is that the mysqli library is not consistent and is a PITA to use with dynamically prepared queries. Quote Link to comment https://forums.phpfreaks.com/topic/292224-possible-mysql-injection-vulnerability/#findComment-1495571 Share on other sites More sharing options...
Stefany93 Posted November 25, 2014 Share Posted November 25, 2014 yes but mysqli is safe and modern to. No. Quote Link to comment https://forums.phpfreaks.com/topic/292224-possible-mysql-injection-vulnerability/#findComment-1497641 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.