|
PHP - Pdo Mysql, Code Safe From Injection?
is this select query code safe from injection?
try {
$stmt = $db->prepare("SELECT * FROM posts WHERE key=$key");
$stmt->execute();
$row = $stmt->fetch();
}
notice there is no bind.
$stmt->bindParam(':key', $key);
the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this...
SELECT count(*) FROM posts WHERE MATCH (file) AGAINST
('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE)
the $key is not an array and the $key does not change it's value.
Edited by kalster, 04 January 2015 - 05:52 PM. Similar TutorialsHi, I am using parameterized queries on my code, here's the relevant part Code: [Select] $params=$_POST['ITGtable']; $tsql2 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION, COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=?"; /* Execute the statement with the specified parameter value. Display the returned data if no errors occur. */ $stmt2 = sqlsrv_query( $conn, $tsql2, $params); if( $stmt2 === false ) { echo "Statement 2 could not be executed.\n"; die( print_r(sqlsrv_errors(), true)); } else { $qty = sqlsrv_fetch_array( $stmt2); } Do I really have to sanitize $_POST['ITGtable'] for apostrophe, semicolon, etc, to avoid SQL injection problems? Or just with above code I should be safer (I did not say safe) against SQL injection? And if the answer is "No", what could be the sanitize code of function? I am using sqlsrv and MS-SQL database engine; most of the functions we have for sanitize inputs on MySQL are not available for MS-SQL. Thanks in advance, Hi guys, I have been using the same code for years now to include my default page and pull content into my layouts.
I found the code online and its a bit confusing so was just wondering if its still safe to use, and is it all needed nowadays?
or is there a simpler way i could be doing this?
Thanks for any help
<?php
if (isset($_GET['nav']))
{
if (strpos($_GET['nav'], "/"))
{
$direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
$file = substr(strrchr($_GET['nav'], "/"), 1);
if (file_exists($direc.$file.".php"))
{
require($direc.$file.".php");
} else {
require("error.php");
}
} else {
if (file_exists(basename($_GET['nav']).".php"))
{
require(basename($_GET['nav']).".php");
} else {
require("error.php");
}
}
} else {
require("links.php");
}
?>
Does this code have mySQL Injection vulnerability?
$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";
using php5, would this make the code more safe...
foreach($array as $key=>$a){
$array[$key] = mysql_real_escape_string($a);}
$query = "DELETE FROM `$table` WHERE `$column` IN('".implode("','",$array)."')";
or is there another way to make the code safe?
Hello People, Been reading up on these and trying to understand them more. Say I have a file called page.php?id=12345 and when users hit the page I run this code in the background: $id = $_GET['id']; $query = "UPDATE tbl SET live = '1' WHERE id = '".$id."'"; That page is not open to any attack right? Even though i'm using $_GET. Am I right in thinking that attacks only happen on online forms. So for example there is no way an attacker could somehow output all the data in my table tbl Thank yo been wondering about this for a while do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id. Code: [Select] <?php mysql_query("UPDATE systems SET homes= $homes + '".mysql_real_escape_string($_POST['homes'])."' WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> $_POST['user_name'] = "CLUEL3SS"; $_POST['user_pass'] = "test123"; $_POST['confirm_pass'] = "test123"; $_POST['user_email'] = "user@email.com"; $_POST['confirm_pass'] = 'user@email.com'; function testFunc($inputVars){ foreach($inputVars as $key=>$value){ $escapeData[$key] = mysql_real_escape_string($value); } return $escapeData; } var_dump(testFunc($_POST)); I'm trying to make a user system for my site and I want to make sure its secure enough to void off injection attackers. Any useful advice and and suggestions would be greatly appreciated! Thanks! i am using a Anti MySQL Injection my friend made for me config.php //Anti MySQL Injection function anti_injection($sql) { // removes words that contain sql syntax $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql); $sql = trim($sql); // strip whitespace $sql = strip_tags($sql); // strip HTML and PHP tags $sql = addslashes($sql); // quote string with slashes return $sql; } <?php include "./config.php"; $title = $_POST[title]; $type = $_POST[type]; $episode = $_POST[episode]; $year = $_POST[year]; $genre = $_POST[genre]; $status = $_POST[status]; $summary = $_POST[summary]; $pictures = $_POST[pictures]; $title = anti_injection($title); $type = anti_injection($type); $episode = anti_injection($episode); $year = anti_injection($year); $genre = anti_injection($genre); $status = anti_injection($status); $summary = anti_injection($summary); $pictures = anti_injection($pictures); ?> When i enter the data from the text box and click submit it still puts the data in to the date base but it shows ]Notice: Use of undefined constant title - assumed 'title' in C:\wamp\www\studying\take 2\addin11.php on line 41 Notice: Use of undefined constant type - assumed 'type' in C:\wamp\www\studying\take 2\addin11.php on line 42 Notice: Use of undefined constant episode - assumed 'episode' in C:\wamp\www\studying\take 2\addin11.php on line 43 Notice: Use of undefined constant year - assumed 'year' in C:\wamp\www\studying\take 2\addin11.php on line 44 Notice: Use of undefined constant genre - assumed 'genre' in C:\wamp\www\studying\take 2\addin11.php on line 45 Notice: Use of undefined constant status - assumed 'status' in C:\wamp\www\studying\take 2\addin11.php on line 46 Notice: Use of undefined constant summary - assumed 'summary' in C:\wamp\www\studying\take 2\addin11.php on line 47 Notice: Use of undefined constant pictures - assumed 'pictures' in C:\wamp\www\studying\take 2\addin11.php on line 48 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 Deprecated: Function sql_regcase() is deprecated in C:\wamp\www\studying\take 2\config.php on line 30 And thanks to the Anti MySQL Injection my Primary key in my database dont work :s can you help? thank you How can you protect mysql injection? (from inserting different statements into the input field) Thanks Hello, all: I'm a newbie and I'm trying to understand the whole php security thing a bit better, and found this function that seems easy to implement, as well as easy to understand... my question is... Does this means I could use regular $_POST, $_GET, $_COOKIE, $_REQUEST variables without having to individually worry about escaping them every time I use them in queries... is this correct? or safe enough? see example below, along with how I'm using variable in a query... it seems to be working fine, as it does echo out the \ escape character when I test it, or when I try to inject it... Appreciate your input! Code: [Select] <?php $_POST=sanitize($_POST); $_GET=sanitize($_GET); $_COOKIE=sanitize($_COOKIE); $_REQUEST=sanitize($_REQUEST); function sanitize($input){ if(is_array($input)){ foreach($input as $k=>$i){ $output[$k]=sanitize($i); } } else{ if(get_magic_quotes_gpc()){ $input=stripslashes($input); } $output=mysql_real_escape_string($input); } return $output; } // mysql query then I could use be: $money = $_GET['money']; $result = mysql_query("SELECT * FROM countries WHERE currencies = '$money'"); ?> I currently use the following function to clean form inputs to prevent MySql injection, Does this function do enough to prevent MySql injection? is there anything i have missed? <?php //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } ?> Good day friends, please i am still an upcoming developer please could you help me check if this contact form code is secured from hackers. Thanks
<?php This is a two parter... mostly a discussion as I am currently not employing the purpose of these "things"
I am creating an autoparsing webapp that has unlimited use... whatever a person can think of
It accesses camera, microphone, gyro/accelerometer, flash etc... mostly it takes in data and does something to it according to the parsing tool
I'm not saying this is new, in fact I spent a while using Touch Develop which is a scripting "thing" by Microsoft, the problem was lag
That is another thing that concerns me, without web access the web-app is useless right? So I'm wondering if it is possible to copy your current setup and either translate it to the mobile languages like Java, C#/XML, Objective C or somehow a platform independent alternative
Anyway...
I'm not sure if I can access front end code, like <div class="whatever"> safely using injection
Well injection you just bind parameters but what if the incoming string is literally malicious ?
Also as far as autoparsing optimization goes, what I mean by that is
I intended to create a character by character comparison, obviously or at least to me, starting with easier stuff first like
for example a link is entered
http://www.something.com
then the autoparser compares each character one at a time from left to right
|1|2|3|4|5|6|7|8|9|10|
|h|t|t|p|:|/|/|w|w|w|...etc...
But I would check for existing formats starting with the shortest first and also checking from right and left, eg. .mp4 is obvious as a file type
I'll have more once I actually know what I need just looking to discuss I suppose... sorry if that is not appropriate feel free to delete this thread
In the future the users who have modified their personal accounts would benefit from an "AI" thing that is specific to their personalities based on what they have enabled
Edited by greenace92, 28 December 2014 - 09:37 AM. using this below is it safe against hackers? Code: [Select] $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: Code: [Select] $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Code: [Select] $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1 Advice please. I am setting up a new machine here and I can't remember which to download. What information do you need to be aware of to know whether to install 'non thread safe' or 'thread safe'. I did some googling but didn't find anything that was clear. And is 5.3 good to go or should I stick with 5.2. Thanks in advance for your input! I have a button that uses $_POST to send information to another page. The data is in a hidden input so it's not possible for users to change information. I have nothing to check if the data is correct on the other page. Is it still possible for people to change the $_POST data though? Or somehow send false $_POST data to the other page? Hello all. Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible. I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long. her's my code so far. Code: [Select] <?php $clan = $_GET['clanid']; // make sure its an INT //if(isint($clan)){ if(ereg("[^0-9]", $clan)){ //im an int. echo ("ERROR Invalid CLANID"); die; } // make sure its a 8 letter only word. $style=$_GET['style']; // cut style down to 8 characters long. $style=substr($style, 0, 8); if(ereg("[^a-zA-Z]+", $style)) { // Contains only letters. echo("ERROR Invalid STYLE NAME"); die; } ?> to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful. Hey guys! I have a doubt and this is a question that relates Flash and PHP... I have a flash (swf) file that grabs/sends variables from/to php. That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted. Is there any other way a hacker could find out where and which my PHP files are located/named? Any ideas, suggestions? Thanks in advance! Cheers, I am building an XML string to send to another server. The manual I am going off of says, Quote NOTE: * XML has a special set of characters that cannot be used in normal XML strings. These characters a Special Character Equivalent & & < < > > " " ' ' It goes on to say... Quote # To avoid problems with special characters, URLEncode special characters (example: ~ ! @ # % ^ &) before sending to the IS Gateway # If you are using POST method, UTF-8 encoding must be used. I am unsure of what to do based on the information above?! It looks like I might want to use urlencode?? Also, maybe I need either htmlentities (or possibly htmlspecialchars)?? Please enlighten me (and help protect my data)!! Thanks, Debbie I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private" If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so: info to add to new .htaccess: Code: [Select] <files "*.*"> Deny from All </files> <files "*.*"> Allow from $domains </files> the string $domains is the domains they enter each seperated by a new line in a form textarea. The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted. I don't need code written for me (maybe), I'm just unsure of the necessary methods I should use. |
|||||||