SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Testing Database Security The Sql

    Hello,

    I posted a question about sql injection yesterday and I've been reading up on it like a madman. Combined with the comments I got from my previous question, I'd like to make sure that I truly understand the issues before adding security to my site. So, before I clean up my site,

    True or False

    Sql Injection occurs when $_POSTs and $_GETs are not properly cleaned up. To minimize the risk, all html input should be validated (for example, no "tricky" characters in usernames/passwords) and all queries that use dynamic input from the user need to be properly taken care of (using, for example, a parameter binding method).

    However, if a query is done internally that's either static in nature, OR doesn't require input from the user (for example, "Select * from tablex where user_id=$_SESSION['user_id'] ----- no $_POST or $_GET here!) then for these queries, there's no threat of SQL injection.


    Thank you,

    -Eric

  2. #2
    SitePoint Guru
    Join Date
    Sep 2008
    Posts
    977
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    However, if a query is done internally that's either static in nature, OR doesn't require input from the user (for example, "Select * from tablex where user_id=$_SESSION['user_id'] ----- no $_POST or $_GET here!) then for these queries, there's no threat of SQL injection.
    maybe it's belt and braces (suspenders [I think], to you US guys ) but, I sanitise data even if it is obtained from the session. I don't know how easy it is to crack a session (even if only the session ID is on the user's computer), but I prefer to be safe as possible.

    hth

    bazz

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks...I'll add it to my list.

    Cheers!

    -Eric

  4. #4
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Direct user input comes from these sources:
    $_GET, $_POST (that together form $_REQUEST), $_COOKIE and HTTP headers (that are assigned to various elements of $_SERVER array). Obviously you need to validate and sanititise everything that comes from here.

    Sessions ($_SESSION) are usually considered as being not directly changeable by user. With one exception - $_SESSION['id'] - in default configuration this value is being set by $_COOKIE['PHPSESSIONID'] or $_GET['PHPSESSIONID'] (if browser refuses to use cookies). So, if, for instance, one has query:
    Code MySQL:
    'SELECT somefields FROM sometable WHERE session_id = ' . $_SESSION['id']
    then by manipulating cookie PHPSESSIONID one can do SQL injection.

    So as IBazz already said - it is very good practice to validate and sanitise all session values as well.

    Going even further - design your application so that each component trusts as little as necessary/possible to other components. For example - PHP script should assume that attacker can manipulate data in database directly and hence validate all data that it gets from DB (and all headers - e.g. referrer that come from web-server). DB has to assume that PHP will try to feed it malicious data and validate by means available to it. Even web-server should do some validation on input/output.

  5. #5
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you for such a detailed response!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •