Protect generic sql query statements

Question

Any way to prevent malicious sql statements without using prepared statements and parameterized queries?

Example after simplify:

<?php                
    $con = mysqli_connect($_POST['db_server'], $_POST['db_user'], 
                      $_POST['db_password'], $_POST['db_database']) or die(mysql_error());

    $result = mysqli_query($con, $_POST['query_message']);            
?>

Is it possible to check out the parameter $_POST['query_message'] is safe or not?

Answer 1

Why you don't wanna use Prepared Statements ? That is really weird. I strongly suggest you should go for it.

You could make use of mysqli::real_escape_string for escaping quotes that is commonly used for SQL Injection Attacks.

Something like...

OOP Style

$message = $mysqli->real_escape_string($_POST['query_message']);

Procedural Style

$message = mysqli_real_escape_string($link,$_POST['query_message']);

Answer 2

You should always build your queries within your code and then sanitise any variables you're going to use within them. NEVER pass the query or the database connection variables in via $_POST unless your user is querying the database via that form, in which case I'd recommend you just install phpMyAdmin.

As for sanitising your variables, if you really don't want to use PDO's prepared statements, you can sanitise incoming integers as follows:

$id = (isset($_POST['id']) ? (int)$_POST['id'] : null);
if ($id) {
    $sql = "SELECT *
            FROM `table`
            WHERE `id` = {$id}";
}

And for strings use this:

$username = (isset($_POST['username']) ? mysqli_real_escape_string($con, $_POST['username']) : null);
if ($username) {
    $sql = "SELECT *
            FROM `table`
            WHERE `username` = {$username}";
}

You can also call real_escape_string() directly on your $con object as follows:

$username = (isset($_POST['username']) ? $con->real_escape_string($con, $_POST['username']) : null);

However, as with @Shankar-Damodaran above, I highly suggest you do use PDO prepared statements to query your database.

Answer 3

other way is using:

htmlentities($query);

as an extra you could use preg_match() regular expressions to avoid the inclusion of certain words (SELECT, DROP, UNION .......)

Example:

try{
  $query = sprintf("SELECT * FROM users WHERE id=%d", mysqli_real_escape_string($id));
  $query = htmlentities($query);
  mysqli_query($query);
}catch(Exception $e){
    echo('Sorry, this is an exceptional case');
}

Answer 4

There are real world cases where prepared statements are not an option.

For a simple example, a web page page where you can do a search on any number of any columns in the database table. SAy that table has 20 searchable columns. you would need a huge case statement that has all 20 single column queries, all 19+18+17+16+15+14+13+... 2 column queries, all possible 3 column queries... that's a LOT of code. much less to dynamically construct the where clause. That's what the OP means by prepared statements being less flexible.

Simply put, there is no generic case. If there was, php would have it already.

real_escape_string can be beaten. a common trick is to % code the character you are trying to escape so real_escape_string doesn't see it. then it gets passed to mysql, and decoded there. So additional sanitizing is still required. and when all characters used in injection are valid data, it's a PITA, because you can't trust real_escape_string to do it.

If you are expecting an integer, it's super easy.

$sanitized=(int)$unsanitized;

done.

If you are expecting a small text string, simply truncating the string will do the trick. does't matter that it's not sanitized if there's not enough room to hold your exploit

But there is no one size fits all generic function that can sanitize arbitrary data against sql injection yet. If you write one, expect it to get put into php. :)