guys,I am new to mysql security,and when I search this issue on google,lots of people are warning that we should check the mysql string to see if it contains ' or not,otherwise you are at the risk of getting mysql database injected,but they didn't tell why?can you please tell me the reason? thank you very much.
Asked
Active
Viewed 70 times
0
-
2You need to escape strings before inserting them into the mySQL database. That's all. Looking whether it contains `'` is not necessary. For more info tell us what platform you are using to access the database - every programming language / database library has its methods for escaping data. – Pekka Mar 14 '13 at 10:56
-
Using some API that take string and use them directly as batch SQL is dangerous. But you rarely use such API today. It entirely depend on your application code and libraries. – Denys Séguret Mar 14 '13 at 10:58
-
Sometimes it is possible (and maybe safer / faster) to just use the integer value of a passed parameter. For example when it is an id field for a row on a table. Anything from the client side can be suspect (eg, it is trvial to edit the available options on a drop down list to add dubious options) – Kickstart Mar 14 '13 at 11:03
-
I am using PHP with no library(or I write the MYSQL library myself), I was just trying to develop a simple blog CMS, and I have no idea about mysql security. – Mr.Leex Mar 14 '13 at 13:46
1 Answers
0
Imagine you have a user table and a login form. Usually when a user logs in you want to determine whether he has an account:
THIS IS VERY BAD PHP:
"SELECT * FROM users WHERE username = '$username' AND password = MD5('$password');"
Now you have a user with the username
1';DROP TABLE users;#
What would happen?
Del Pedro
- 1,216
- 12
- 32
-
oh,my god.I know the reason now!thank you very much,except filter the ' ,is there any other things I should attention? thank you again! – Mr.Leex Mar 18 '13 at 06:51