godesign godesign - 5 months ago 21
PHP Question

Protection against SQL injection

Does the following PHP MySQL statement protect against SQL Injection?

$strSQL = "SELECT * FROM Benutzer WHERE Benutzername = '".$Benutzer."' AND Password = '".md5($PW)."'";


The Variables
$Benutzer
and
$PW
are inputs from the User.

We're checking the username and password against common SQL Injection techniques:


' or 0=0 --
,
" or 0=0 --
,
or 0=0
--
,
' or 0=0 #
,
" or 0=0 #
,
or 0=0 #
,
' or 'x'='x
,
" or "x"="x
,
') or ('x'='x
,
' or 1=1--
,
" or
1=1--
,
or 1=1--
,
' or a=a--
,
"
or "a"="a
,
') or ('a'='a
,
") or
("a"="a
,
hi" or "a"="a
,
hi" or 1=1
--
,
hi' or 1=1 --
,
hi' or 'a'='a
,
hi') or ('a'='a
and
hi") or
("a"="a
.


Am I missing something? Should I use a different method to protect against SQL injection?

Answer

You may want to look into parameterized queries for querying the database. This eliminates SQL injection attacks.

I work primarily with postgreSQL, and the format for doing such a query would look something like this:

$query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2';
$params = array($Benutzer, md5($PW));
$results = pg_query_params($query, $params);

Most databases have a function that will be similar to this funationality.

I hope this helps and good luck!

Kyle

Comments