Preventing SQL injections with ADOdb for PHP

Busch · September 7, 2007, 12:51am

Hi,

I’ve just come across ADOdb for PHP and find it very useful.

The thing I can’t figure out is how to prevent SQL injections with ADOdb.

Can someone who is familiar with ADOdb help me make safe and secure queries on my DB?

Thanks,
Eric

lkagan · September 7, 2007, 1:25am

A pretty standard way of intercepting SQL injection attacks is by using prepared statements. This can be done in a number of different data abstraction layers. You can find ADODB’s docs on prepared statements here.

Hope this helps.

longneck · September 7, 2007, 1:49am

alternatively (but not necessarily better) use the Quote() function provided by ADOdb.

Busch · September 7, 2007, 2:10am

OK, I checked this out and it didn’t make much sense to me. It says, “Prepares (compiles) an SQL query for repeated execution”. What if I’m just doing 1 query?

Also, I tried to use the example on that page but I just don’t get it. How do I echo results with that query?

I tried this and got a little closer but not close enough. When I used Quote, it added extra quotes and broke the query.

Below are the queries that I’ve tried and their results.

First Query:

$id1 = '11945-455972285';
$result = $db->GetAll('select name from products where id=?', array($id1) );
foreach($result AS $row) {
	echo $row['name'];
}

First Debug:

select name from products where id='11945-455972285'

Second Query:

$id2 = '11945-455972286';
$result = $db->GetAll('select name from products where id=?', $db->Quote($id2) );
foreach($result AS $row) {
	echo $row['name'];
}

Second Debug:

select name from products where id='\\'11945-455972286\\''

longneck · September 7, 2007, 2:21am

you’re already using SQL injection safe queries by using the ?. no further action is required.

Busch · September 7, 2007, 2:28am

Ahh, thank you for clarifying that for me.

I have 1 last question concerning querying with values from the user.

I want the ORDER BY to be changeable as well.

I tried this but it didn’t order the results based on price.

$sql = 'SELECT name, price FROM products WHERE category=? AND merchant=? ORDER BY ? DESC';
$cat = 'futons-bed-11945';
$mid = '11945';
$order_by = 'price';
$values = array($cat,$mid,$order_by);
$result = $db->GetAll($sql, $values);
foreach($result AS $row) { 
	echo $row['name'] . ', ' . $row['price'] . '<br>';
}

DEBUG:
SELECT name, price FROM products WHERE category=‘futons-bed-11945’ AND merchant=‘11945’ ORDER BY ‘price’ DESC

Is this kind of bind (bind on the ORDER BY) possible?

Thanks,
Eric

longneck · September 7, 2007, 2:43am

not using parameters, no. you’ll have to use simple string concatenation.

Busch · September 7, 2007, 2:48am

Thanks for your help.

1 last question about SQL injections… Is it possible for someone to do an SQL injection on the part of the query after the WHERE’s and AND’s?

For example:
ORDER BY sql_injection here LIMIT 10

longneck · September 7, 2007, 3:02am

i can’t think of a way off the top of my head, but i don’t suggest not guarding against it. in the case of an ORDER BY, i suggest matching the user-supplied input against an array of known-good values. this shouldn’t be too difficult since you already know all of the valid column names.

Busch · September 7, 2007, 3:18am

OK, thanks for your help on this!

Eric

Topic		Replies	Views
Preventing SQL Injections PHP	4	410	October 8, 2014
Best way to prevent sql injection? PHP	88	9620	October 8, 2014
Prevent SQL Injection PHP	14	1679	January 21, 2011
Pdo and sql injection PHP	13	2503	October 8, 2014
SQL Injection related question PHP	8	961	October 8, 2014

Preventing SQL injections with ADOdb for PHP

Related topics