SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru
    Join Date
    Sep 2008
    Posts
    977
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    securing queries better

    Been trying to enure my queries are good. Something crossed my mind.

    To prevent someone injecting extra stuff to my query, perhaps through a form, should I add 'WHERE 1', to all queries where WHERE isn't really 'needed', so that a WHERE something = something_else, can't be added by a malicious input? I can add it but, will it prevent even one type of malicious hack?

    bazz

  2. #2
    SitePoint Wizard
    Join Date
    Dec 2003
    Location
    USA
    Posts
    2,582
    Mentioned
    29 Post(s)
    Tagged
    0 Thread(s)
    It could help. I think Wordpress adds WHERE 1 = 1 to their queries for this reason.

    However, they can easily add a # to the end of their injection, which can cut off everything else in the query.

  3. #3
    SitePoint Addict
    Join Date
    Jul 2008
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Would using PDO not eliminate any risk of having any SQL injection issues?

  4. #4
    SitePoint Wizard
    Join Date
    Dec 2003
    Location
    USA
    Posts
    2,582
    Mentioned
    29 Post(s)
    Tagged
    0 Thread(s)
    There's always a risk. It'll greatly greatly reduce it, but there is always a risk. =p

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,194
    Mentioned
    17 Post(s)
    Tagged
    4 Thread(s)
    PDO does nothing itself, using prepared statements properly separating user input does. PDO just provides a simple interface to do so but you can still F**k it up of you don't know what your doing.
    The only code I hate more than my own is everyone else's.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •