Testing and detecting SQL injections in PHP

Question

Testing and detecting SQL injections in PHP

I am new to PHP and still do not know how this works.

If I use mysqli_real_escape_string()and parameterize each variable in an SQL query, can I do this with is_numeric(), etc.
What is the best way to create an injection detection system? Just confirm user input with regular expressions and save it to the database?

+5

php sql-injection mysqli

Crayl Jun 25 '11 at 20:24

source share

5 answers

, . , "" , sql ... , SO SQL;)

+4

Nanne 25 . '11 20:26

MySQL : NULL \n \r \ ' " 0x1A. .

"escaped" SQL. Escaping (, ). escape- SQL-, , , , .

, quote escape. , .

, , , , , , , .

:

, , , , SQL , , , .

- , . mysqli prepare(), bind_param(). , , SQL-.

+3

tylerl 25 . '11 21:07

, , SQL- -

.

+1

LainIwakura 25 . '11 20:28

The problem with SQL injection is that the user inserts SQL data into the command and does not verify that the data matches your business rules.

Ensure that all user data is passed through mysqli_real_escape_string or that prepared statements used are the best way to avoid problems.

0

datasage Jun 25 '11 at 20:28

source share

Michael berkowski · Accepted Answer · 2011-06-25T20:27:15+0000

Even if you protected your variables from being injected with a parameterized query or mysql_real_escape_string()(not mysql_escape_string()), you should still check them on the server side to make sure they match the expected input type. Thus, if they do not, you can return an error message to your user with a request to repeat these form fields.

If you use a parameterized query, such as that proposed by MySQLi as prepared statements, you also do not need to avoid strings. However, if you are not using a parameterized query, you must call mysql_real_escape_string()for each input parameter received by PHP.

Testing and detecting SQL injections in PHP

:

More articles: