Talk:PHP Programming/SQL Injection Attacks

Hehe, I learned something here... time to go overhaul my forum ;^) --Spoom 14:10, 6 Oct 2004 (UTC)

IMO the first solution provided is bad practice as it skips proper validation of user input. Besides - it my cause nonsensical database queries, which isn't fatal, but unwanted - it is overly complicated

Using magic quotes is bad practice too, see: http://www.php.net/manual/en/security.variables.php --Marek 25.01.2005

There needs to be an additional section on PHP 5's mysqli library and using positional parameters. Example (where $db is a connnection): $name = "Joe"; $age = 5; $stmt = $db->prepare("INSERT INTO customers (name, age) VALUES (?, ?)"); $stmt->bind_param("si", $name, $age); $stmt->mysqli_stmt_execute;

The above will properly escape $name and $age, and will also perform better in some cases when inserting multiple rows when the same prepared statement can be reused. Wesley 13:00, 28 April 2006 (UTC)

Please note that the SQL syntax for DELETE statement is wrong in the given example: SELECT * FROM `users` WHERE username = '\';DELETE * FROM `forum` WHERE title != \'' The correct form is as shown below: SELECT * FROM `users` WHERE username = '\';DELETE FROM `forum` WHERE title != \'' Also when we try to execute the above statement from within a mySQL client it will be executed successfully. (author of the above post unknown)
 * Thanks - I'll update the article. The MySQL client has always allowed query stacking, but I've tried to do it in PHP and it failed. The SQL parser in one of my PHP apps actually kills the connection if it detects a stacked query. --Dandaman32 14:31, 10 March 2007 (UTC)

Obvious fix for problems (Although impossible to carry out)
Stop using acceptable ascii codes for code execution... Yes, I'm talking about wrecking programming languages as we know them, but nobody said they were perfect. Seriously though, the real problem: these functions accept standard ascci and execute standard ascii. I know... not helpful but still an interesting thought--Kyle van der Meer (talk) 13:46, 9 June 2008 (UTC)

-- FYI, mysql_query can only execute a single statement, so the DELETE example is bogus. regards, adam

removal of the second query injection claim
as adam pointed out, mysql_query in php (and i'm guessing the underlying C, but i'm not sure) doesn't allow execution of a second query. i wasn't logged in, but the edit to remove all the stuff about appending a DELETE statement was me. sorry that it's not a thorough edit and i didn't replace it with any discussion of the real scope of sql injection in mysql_query, but i considered the problem serious enough to cut it out in a quick edit. this page has a pretty high pagerank and shows up prominently in some searches for sql injection vulnerabilities in php.