SQL Injection / Sanitation
I'd like to learn more about how to protect against SQL Injection (and do better sanitation) when using these mySQLi behaviors. Do you have examples or suggestions you can recommend?
I'd like to learn more about how to protect against SQL Injection (and do better sanitation) when using these mySQLi behaviors. Do you have examples or suggestions you can recommend?
IN particular, I'd like to learn how to remove single ticks and quotation marks from values entered into a field before INSERT.
My'SQLi Server Behaviors uses prepared statements that are inherently injection proof. As long as you are using our server behaviors you shouldn't have to worry about it.
You can read more about how to prevent injection and how prepared statements work here:
https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
Hi Ray, I recently built a new section on an existing site using SA/mySQLi server behaviors. The client has had a penetration test done and it's come back showing a high impact/high probability of SQL injection which I need to fix urgently. However reading the material on the link above, although I think I understand how it can happen, I'm not sure how to fix it - and particularly if, as you say, the mySQLi server behaviors use prepared statements anyway! Would it be the login page I would need to update? I've attached a copy for info.
I don't see any vulnerability on this page. It does use prepared statements, so SQL injection shouldn't be possible. I don't see any hand coding that would have opened any vulnerabilities. Can I get a copy of the report that says there is a problem? Does it have any details?
Hi Ray, yes I have a 174-page document to go through with everything that was picked up! :-( See PM.
I don't see the attachment. I may want the FTP information, but I'd like to see the relevant error first.
Attaching again, this time as a PDF - hope it gets to you OK.
This is a false positive and isn't a real SQL injection hole. It is detecting that these two urls return a different result and it assumes that is because it is getting information from the database.
https://www.yoursite.co.uk/theagency/index.php?&accesscheck=/theagency/inde x.php?-1' AND 'yUOyV'='pVXHK' OR 'yUOyV'='yUOyV' OR '1234'='747235
https://www.yoursite.co.uk/theagency/index.php?&accesscheck=/theagency/inde x.php?-1' AND 'oQqtS'='llomj' OR 'oQqtS'='llomj' OR '1234'='734102
However, if you follow those two links the pages are different because one is going to a 404 page, not because any information is coming from the database. That means this isn't really an issue.
Thanks Ray, I'll pass this on. See PM too.
Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.
These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.