0

I am working on an existant web page and I modify the DOM with jQuery.

In my script, a POST Ajax call sends to a php file the parameter registration_id, which is only composed of numbers (for example 310). This parameter is passed in a SQL request which returns 3 elements (id, context_id, time_spent from trackings table)

So, I have implemented some security in my php code:

  • I check if the POST Parameter is set
  • I check if the length is < 5
  • I check if the parameter is only composed of numbers with ctype_digit()
  • 4th security: the access to the database is strict: I created a user which can only SELECT on trackings table the fields id, context_id, time_spent.

What do you think about that ? Do you think I have to make prepared requets ?

Thank you in advance for your advices

Thomas

Yohanes Khosiawan 许先汉
  • 2,453
  • 4
  • 24
  • 28
ThmMrn
  • 33
  • 2
  • 2
    Use prepared statements http://uk1.php.net/pdo.prepared-statements it makes sure that sql cannot be injected. You can check for a lot, but there is the risk that you forget or oversee something. – Veda Apr 10 '14 at 08:58
  • Also add this: http://be2.php.net/mysql_real_escape_string (check the newer, better and safer mysqli function below from @Veda). – Cagy79 Apr 10 '14 at 09:00
  • 2
    @Cagy79 that one is deprecated, use http://uk1.php.net/mysqli_real_escape_string – Veda Apr 10 '14 at 09:00
  • this one also http://stackoverflow.com/a/12202218/1723893 – NullPoiиteя Apr 10 '14 at 09:03
  • 3
    Avoid `_real_escape_string` in favour of parameterised queries (as per the first two comments on the question) – Quentin Apr 10 '14 at 09:05
  • **ALWAYS** use prepared statements, even when you are really really sure that your checks are sufficient. (why take the risk anyway?) – giorgio Apr 10 '14 at 09:12
  • Testing with `ctype_digit()` will technically solve the problem of SQL-injection, but it is a good habit to use parametrized queries everywhere. This way you can avoid misunderstandings working in a team, or if the conditions change. – martinstoeckli Apr 10 '14 at 09:30

1 Answers1

1

You don't know what you don't know. It looks like you have thought enough about security, but what if someone knows a trick that will still output more than you wanted? Don't try to implement your own security systems.

Prepared statements are proved to be secure. Use that if you want to make sure you are safe. You can keep the checks, they can still be useful for providing user feedback.

On the other hand, I cannot think of any injection you can do with only numbers smaller than 10000.

Veda
  • 2,025
  • 1
  • 18
  • 34