Re: [PHP-DB] SQL Injection
-Kevin Waddell Proverbs 3:5-6 On Fri, 5/15/15, Ruprecht Helms rhe...@rheynmail.de wrote: Subject: Re: [PHP-DB] SQL Injection To: php-db@lists.php.net Date: Friday, May 15, 2015, 10:16 AM On 15.05.2015 07:21, Karl DeSaulniers wrote: On May 14, 2015, at 11:11 PM, Onatawahtaw onatawah...@yahoo.ca wrote: Hi Karl, If you look at the link you provided you'll notice that some of the code is for ASP.net and some is for PHP. I have looked in the link. Most problems by inject an sql-Code is to add something in the where-clause let it end with a semicolon and add an additional sql-command behind the semicolon. In this case you have two SQL-Command. The first maybe a Select-Command and the next can be to drop a whole table with all its content. One thing you can do is to trim the Select-Statement and trough all behind a semicolon in addition the semicolon away. To assume that any SQL injection is going to be by a second statement is very risky. Someone can simply add an or section to the where clause. It will still be one SQL statement and your trim will have done nothing to solve the problem. It is best not to make that assumption and not bother with trimming. Also, it would be tricky finding a proper trim function especially if your form input should contain semi-colons, etc. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection
Hi Karl, If you look at the link you provided you'll notice that some of the code is for ASP.net and some is for PHP. What of the two are you programming in? If you are programming in ASP.net you are asking your question to the wrong mailing list as this list is for PHP. If you are programming in PHP, then the @ symbol does not apply to you. Both prepared statements and mysqli_real_escape_string do provide adequate security (if used correctly). However, my recommendation is to learn how to use PDO with prepared statements. PDO also offers the benefit of being able to connect to multiple types of databases without needing to change your code. If you use mysqli and down the road you decide you want to use Oracle, MS SQL Server, or some other database server, you will ned to rework a lot of your code. Not so with PDO. Hope this helps, -Kevin Waddell Proverbs 3:5-6 On Thu, 5/14/15, Karl DeSaulniers k...@designdrumm.com wrote: Ok, so understand my own situation, the method I have been using, mysqli real escape string is suffice? Or is the @ symbol is the better preferred method? Best, Karl DeSaulniers Design Drumm http://designdrumm.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] PDO Exceptions
Greetings, I am new to this list. I have a question about which functions need to be included in a try block. Of new PDO, prepare, bindParam, execute, fetch, and query, it seems that bindParam is the only one that throws an exception. So is this the only that needs to be put into a try block? Thanks, -KJW Proverbs 3:5-6