http://www.codeassembly.com/feed/comments/45 CodeAssembly - Simplicity is prerequisite for reliability - Comments en-us contact@codeassembly.com contact@codeassembly.com RSS Feed Generator use prepare for query its best pratice for all newbie to avoid sql injection :) http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#333 2010-08-11 12:38:45 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#333 I am still amazed that programmers construct interactions with databases using SQL/Mysql/Oracle/postgresql etc. Do not do it. Your job is to control/direct the user experience. Use DB2/400 and stop messing about. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#122 2008-05-22 13:03:27 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#122 If SQL Injection works on a website in this day and age, it DESERVES to get hacked. Seriously. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#121 2008-05-22 14:36:20 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#121 You could just use PDO, which automatically escapes the data you pass to it. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#120 2008-05-22 05:24:11 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#120 Is safer to put the default value instead of user input because PHP has some problems with UTF8 and the string comparison can be true but the string can be slightly different. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#119 2008-05-22 02:19:56 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#119 Wouldn't it be easier to do that last bit of code's switch statement thusly: switch ($_GET['bookCategory']) { case 'sf_books': case 'literature_books': $table = $_GET['bookCategory']; break; default: $table = 'cooking_books'; } http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#118 2008-05-21 22:43:29 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#118 Jakub Kulhan, this is just an example to show that query generation using user input is dangerous. It's not trying to be an example on how to design your database. @Konr Ness and @slink thanks for the tip, I forgot to put that break. @Wabbitseason, you can write your code any way you want, the important thing is not to slip any user input in the query. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#117 2008-05-21 12:22:45 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#117 The last example (using user input as table name) is non-sens. With good database design you'll never get to this situation. For example suppose that we have these tables: books (id, name, type_id) and types (id, name). And here you can use bindable value, again, to choose type of book: SELECT * FROM books LEFT JOIN types ON books.type_id = types.id WHERE type.name = ? I think that it's more secure and for unknown type it won't return anything, which is more expectable. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#116 2008-05-20 12:02:27 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#116 or ... switch ($_GET['bookCategory']) { case 'sf_books': case 'literature_books': $table = $_GET['bookCategory']; break; default: $table = 'cooking_books'; } $query = "SELECT * FROM $table"; or rather: $allowed = array('cooking_books', 'sf_books', 'literature_books'); if (@in_array($_GET['bookCategory'], $allowed)) { $table = $_GET['bookCategory']; } else { $table = current($allowed); } $query = "SELECT * FROM $table"; http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#115 2008-05-21 06:35:16 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#115 Probably you missed a "break" in case 'literature_books'. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#114 2008-05-21 05:45:39 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#114 That last bit of code with the switch statement has bug. You missed the break; statement after the 'literature_books' case. Without it, $table will be 'cooking_books' even if 'literature_books' was specified. http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#113 2008-05-21 10:59:07 http://codeassembly.com/Are-you-still-worried-about-sql-injection-?/#113