Geek Answers Handbook

Do I need to check for SQL injection even on verified inputs?

This is about an ad site ... I use PHP and MySql to insert records into db.

I have an HTML form and users must fill out this form in order to continue.

The following is the form input and validation at each input (javascript):
Name (only letters allowed)
Phone (only numbers allowed)
Email (special match email-regexp)
Title (no special characters are allowed, everything else is fine. By special characters I mean !(#)<> Etc. Maximum length is 35 characters.)
Text (Same as title, no length limit)
Price (only rooms allowed)

I am doing mysql_real_escape_string() in the Header and Text , but nothing else.

My question is simple, is that enough?

I have no other security measures .

UPDATE

 var alphaExp = /^[a-zA-ZåäöÅÄÖ\s\-]+$/; var numExp = /^(?=(?:\D*\d){0})[\d -]{0,20}$/; var num_only = /^[0-9]+$/; var emailExp = /^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/; var textExp = /^\s*([\wåäö\-\*][^\w]*){3}.*$/gmi; var headlineExp = /^[\s\da-zA-ZåäöÅÄÖ&()+%\/*$€é:,.'"-]*$/;
+6
javascript html security php mysql
source share
7 answers

All security measures that are implemented in Javascript can be bypassed by the user, for example, by disabling it, deleting listeners, or messing with the code. Do not rely on the customer there!

+8
source share

I have no other security measures.

Security must be performed in layers. Many times, programmers do not understand this, because it is beyond their competence (most have the mantra "if it compiles, send it"). You must ensure safety at any reasonable point. You can never trust a user, especially if he sees the Wild Wild Web. Regular expression checks, known injection tests, and simplifying server and application handling are important.

Please note that the standard of reasonableness is attached. Sometimes it’s easy to be in a security theater or outwit. It is up to you and other project stakeholders to determine what levels of precaution are necessary to implement. Time and materials are costly, so if you spend $ 100,000 to implement security, but get only a refund of $ 80,000, then it will self-destruct.

+5
source share

Everything that comes from the authenticated user. JavaScript execution before user submission. I do not need to run JavaScript code to send a POST request.

+3
source share

You should not use MySQL Extension at all. This is 2010 and PDO is the way to go.

+1
source share

In almost all cases, by default, the question "Do I need ..." when it comes to security issues, "Yes, absolutely."

 <?php /* Execute a prepared statement by passing an array of values */ $sql = 'SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'; $sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); $sth->execute(array(':calories' => 150, ':colour' => 'red')); $red = $sth->fetchAll(); $sth->execute(array('calories' => 175, 'colour' => 'yellow')); $yellow = $sth->fetchAll(); ?>

The above code is in this page in the PHP library. No more worries about mysql_real_escape_string() and try to include prepared statements in your SQL queries.

+1
source share

In addition to thejh's answer , I would recommend Prepared Statements.

+1
source share

Here a lot of people talk about circumventing your javascript, but I want to take another step and show you how to do this, as the context matters. Here is one Firefox addon that I like to use when I do penetration testing or something like that: Groundspeed .

As said a million times, client-side checks are good because you can use them so that users with good behavior can click on your server with bad requests, but each client side of the check should also be mirrored on the server side. And yes, prepared statements are your friend. Also, sanitize anything coming out of your database, as this is the step that many people forget.

+1
source share

More articles:


All Articles