0

Should i also sanitize data coming from $_GET if those data are not going to change the state of database.

example of changing the state of database is INSERT, DELETE
example of not changing the state is SELECT.

the problem i think about not sanitizing is this

inside code

$word = $_GET['word'];
$query = "SELECT * FROM tbl_example WHERE name LIKE '%$word%'"; 
mysqli_query($query);


then the data you search is

testword%';DROP TABLE tbl_example; --


so final value of $query is

SELECT * FROM tbl_example WHERE name LIKE '%testword%';DROP TABLE tbl_example; -- %'

BUT i guess this wont work cause mysqli_query and mysql_query() can only execute single SQL statement.

Also if you sanitize $_GET then inside the database there is ' then you search ' will your search match the one in the DB?

Can you also show me examples of sql injection?

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
user1933652
  • 99
  • 1
  • 1
  • 3
  • See also [this canonical reference question](http://stackoverflow.com/q/60174/168868) and [Wikipedia](http://en.wikipedia.org/wiki/SQL_injection) for more information on SQL injection, including examples. – Charles Dec 28 '12 at 09:15

3 Answers3

2

Let's say your table has 1 million rows and you dont sanitize $_GET as in example above then someone can exploit your search so that it returns all 1 million rows, and then your server will try to display all of those and it will go down. Thats just one example.

Example

$_GET["word"]="test%' or name LIKE '";
$word = $_GET['word'];
$query = "SELECT * FROM tbl_example WHERE name LIKE '%$word%'";

Query

SELECT * FROM tbl_example WHERE name LIKE '%test%' or name LIKE '%'
Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
1

what you need to use is prepared queries instead of sanitize data coming from $_GET

you are using mysqli like mysql and even not escaping GET ... you need to use prepared queries

you need to use like 

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}

from php manual

good read

Sanitizing user's data in GET by PHP

Community
  • 1
  • 1
NullPoiиteя
  • 56,591
  • 22
  • 125
  • 143
1

It sounds like you're trying to find excuses to not sanitize data. It's sort of like saying "I don't need to put on my seat belt if I'm only driving a half mile, do I?" Why so hesitant from consistently using best practices?

Moreover, don't bother santizing your data. Instead, use parametrized queries like the other answers tell you to.

Others have given you examples that even a SELECT is susceptible to malicious input, but you seem to be wanting to even get around those reasons. Don't fight it. Get into good habits and do it right.

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
  • OK I get it im just curious – user1933652 Dec 28 '12 at 08:41
  • if you sanitize $_GET then inside the database there is ' then you search ' will your search match the one in the DB? can you please clear my mind on this?? – user1933652 Dec 28 '12 at 08:41
  • The best way to clear your mind is to use parametrized queries, so that you don't waste your time and brain energy trying to figure out when you absolutely have to sanitize your data. – Andy Lester Dec 28 '12 at 09:24