I understand that prepared statements are the best way to find protection against SQL injection. However, they provide coverage in a limited manner; for example, in cases where I allow the user to decide how the order should work (i.e. is it ASC or DESC? etc.), I do not get any coverage with prepared operations there.
I understand that for this I can map the user's entry to a predefined whitelist. But this is only possible when the whitelist can be created or guessed in advance in advance.
For example, in the cases that I mentioned above (ASC or DESC), this can be easily compared and checked using a list of accepted values. But isnโt there a situation where part of the SQL statement cannot be checked against the whitelist?
If this situation exists, then what is the recommended approach?
If I were to avoid user_input using the built-in utility to run the database (such as mysqL_real_escape_string for mysql) all over the board, where would I fail?
I ask this question with the assumption that I always create my SQL expressions with quoted values โโ- even for integers ...
Let's look at the following example and look at it.
select {$fields} from {$table} where Age='{$age}' order by {$orderby_pref}
Suppose all the vars are user-provided.
If I were mysql_real_escape_string with all the variables in the aforementioned SQL (as opposed to using prepared statements that cover me only halfway, forcing me to whitelist the other half, that can't help), is it equally safe (and easier to code )? If not, in which the login script output utility error failed?
$fields = mysql_escape($fields); $table = mysql_escape($table); $age = mysql_escape($age); $orderby_pref = mysql_escape($orderby_pref); select {$fields} from {$table} where Age='{$age}' order by {$orderby_pref}
Average joe
source share