Re: SQL Injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 15/05/14 18:19 , Karl DeSaulniers wrote:
On May 14, 2015, at 8:09 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote:



On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers <karl@xxxxxxxxxxxxxxx> wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players perspective.
I know w3schools is not the de-facto on everything, so I wanted to know how reliable is the information on this page.

http://www.w3schools.com/sql/sql_injection.asp

Namely the @ symbol before SQL Values and because this talks about SQL and not MySQL specifically, does this not apply to MySQL?
To my uneducated eyes it seems legit. Any clarification is greatly appreciated.

TIA,

Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com



That is preferred in PHP as well. The SQL/MySQL isn't specifically doing the replacement, but rather the driver object. Using parametrized queries:

http://php.net/manual/en/pdo.prepared-statements.php



Thank you Aziz,
Interesting link, thank you for that. I have not worked with prepared statements on my own, just in WordPress.

So the @ symbol is a preferred method even outside the SQL world because?

What specifically is the @ symbol doing?

 From what I read, and from what you just mentioned,
it's the PHP->SQL driver that check this @ symbol and treats the data as literal text?
Meaning it will not execute the text that comes after the @ symbol as code.

If I understand correctly it is not the @ symbol itself which is the thing you should be looking at. What you should be looking at is how your programming language handles prepared statements. What I see is that the @ symbol is how ASP.Net defines the variable name, and also the variable position.

I am not sure about this, but it looks like PHP uses : for the same function.

I am even less sure about this, but I think with prepared statements you can also define what "type" of data is being passed. So if you try to pass a "string" (ie. something that cannot be converted to a number) to a "number" defined variable, you will get an error thrown. If you use a catch statement that error can be handled by your code, rather than PHP handling it in default manner.

It really has been a long time since I have been hands on with any of this, and there is a good chance at least some of what I am saying is wrong.

The point of prepared statements is that what variables you are passing through them, they are passed as literal values, rather than simply putting them through as straight text put into your string you are passing to SQL.

Even if the string ends up "breaking" your query in a way that can harm either security of data, or your database itself (also a security issue), it is not passed in a way that SQL handles as such.

I discovered an issue on one of the web apps I used where I would get a SQL error message if I entered certain strings into the input field. Even though what I was doing wasn't at all trying to test for it, my inputs made it clear what was going on.

With that amount of "what is going on" figured out. I could send a meaningful bug report that got this issue fixed. Most people using the site would have had no idea what was happening.

If I recall, I was putting a " or ' in my input, thus closing the string, which then left the rest being interpreted as SQL code.


--
Datse Multimedia Productions
http://DatseMultimedia.com/
Tel:    250-362-5701
Mobile: 250-354-7094



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux