3

I am using mysqli prepared statements and bound variables.

  1. Then to prevent sql injection, am I need to do anything else(eg: data type validation, filtering, sanitize, string escape etc ) with user input ?

  2. Is there any other way of attacking MySql database other than Sql Injection ?

SCC
  • 509
  • 7
  • 13
  • Sure - stealing a badly done password and just busting in to steal data. – duffymo Sep 28 '13 at 13:37
  • Yes, there are. Have a look at the history of [publicly known vulnerabilities in MySQL](http://www.cvedetails.com/vulnerability-list/vendor_id-185/Mysql.html). – Gumbo Sep 28 '13 at 13:38
  • You can't attack what you can't access, so your MySQL server should be firewalled off from being accessible from the Internet, and, ideally, should not be accessible from any machine in your network that does not require access, so that those machines, if compromised, don't provide an intermediate path to access it. Your application should be using a mysql account with only the privileges that it requires, and not more. – Michael - sqlbot Sep 28 '13 at 20:30
  • I means the attack through my web application only, and not in other ways. Also I am using shared hosting from Godaddy. I can't set privileges to the mysql user – SCC Sep 29 '13 at 09:38

1 Answers1

2

To prevent SQL injection you have to format your query properly.
Every literal that have to be added to the query dynamically, have to be properly formatted.
Not only data literals like strings and numbers but all of them, including operators and identifiers. The only proper way to make values formatted is prepared statements.

For the identifiers and operators you will need also filtering, to let only allowed ones into query.

Whatever user input should not be involved at all. It's destination, not source that matters.

Is there any other way of attacking MySql database other than Sql Injection ?

sure thing. But the topic is too broad to make you secured by means of a forum post. Better hire a DBA.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • @Your Common Sense "Whatever user input should not be involved at all. It's destination, not source that matters." - I can't understand – SCC Sep 28 '13 at 13:58
  • You should format properly **everything** that goes into query, not just a certain subset of data, no matter how you call it. – Your Common Sense Sep 28 '13 at 14:00