Asked  7 Months ago    Answers:  5   Viewed   35 times

I'm developing a website and I'm trying to secure the connection part.

I used the addslashes function on $login to stop SQL injection but some friends told me that's not enough security. However, they didn't show me how to exploit this vulnerability.

How can I / could you break this code? How can I secure it?

<?php

    if ( isset($_POST) && (!empty($_POST['login'])) && (!empty($_POST['password'])) )
    {
        extract($_POST);
        $sql = "SELECT pseudo, sex, city, pwd FROM auth WHERE pseudo = '".addslashes($login)."'";
        $req = mysql_query($sql) or die('Erreur SQL');
        if (mysql_num_rows($req) > 0)
        {
            $data = mysql_fetch_assoc($req);
            if ($password == $data['pwd'])
            {
                $loginOK = true;
            }
        }
    }
    ?>

 Answers

69

You should use mysql_real_escape_string for escaping string input parameters in a query. Use type casting to sanitize numeric parameters and whitelisting to sanitize identifiers.

In the referenced PHP page, there is an example of a sql injection in a login form.

A better solution would be to use prepared statements, you can do this by using PDO or mysqli.

Wednesday, March 31, 2021
 
QuantumMechanic
answered 7 Months ago
95

SQLite2 internally stores every value as a string, regardless of its type.
Upgrading to SQLite3 will certainly shrink the database size since numbers and BLOBS get stored in their native formats, which could make things run faster.
Another big advantage in my opinion is that recent versions of sqlite, (starting from 3.6.23) support foreign keys.

Since you were using PHP, I would suggest that you look into PDO. It could prove helpful in case you need to change the DBMS for the application

Saturday, May 29, 2021
 
mgraph
answered 5 Months ago
54

From the mysql_real_escape_string() documentation:

Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

As far as security, unless you are running a LIKE, GRANT, or REVOKE, it's a non-issue. LIKE is probably the only real concern. It's up to you how you would want to escape it in these situations.

A quick example:

"... LIKE '%" . mysql_real_escape_string($string) . "%' ..."
Saturday, May 29, 2021
 
aaronhuisinga
answered 5 Months ago
34

From the documentation:

con.execute("insert into person(firstname) values (?)", ("Joe",))

This escapes "Joe", so what you want is

con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
Wednesday, June 9, 2021
 
Trott
answered 5 Months ago
82

You can try accessing the SqlCommand object of the DataAdapter:

da_services = new SqlDataAdapter("SELECT * from table WHERE column=@column AND column2=@column2", conn);
da_services.SelectCommand.Parameters.AddWithValue("@column", textBox1.Text);
da_services.SelectCommand.Parameters.AddWithValue("@column2", somestring);
Wednesday, August 25, 2021
 
Razvan N
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :