I have a question I can't seem to find the answer to regarding SQL injection. Let's say I have code where there is a submit button labeled "delete" and if the user clicks it, the databased deletes that record. There is no user input here besides clicking that button. Is that safe from sql injection, or does this still need to be coded in PDO vs good old php? Also, are select statements safe if they are just returning results rather than inputing user data? As I understand it, I only need to worry if it is an insert or update query I am dealing with, but I can't verify this...
Asked
Active
Viewed 19 times
0
-
But consider in your example, there must be something else sent along with the Submit to identify _that record_, and that value, be it in a hidden field, a submit value, etc, is still potentially a source of injection. – Michael Berkowski Aug 06 '14 at 01:28
-
Use prepared statements always. And do not bother yourself with such type of questions. – sectus Aug 06 '14 at 01:29
-
SELECT statements are not safe, if they are constructed from user input. Your data can be stolen with a crafted select statement, or commonly, a select statement can be used to escalate privileges or impersonate users. – Michael Berkowski Aug 06 '14 at 01:29
-
Thanks. It's a sad thing because just slipping in php code everywhere was so much easier and less time consuming before prepared statements. I have a lot of links that do such database calls on a page...like 20. That's a lot of prepared statements. But security is key of course. – jaw Aug 06 '14 at 01:32
-
Using prepared statements does not mean you have to complicate your code. It's usually shorter thereafter - if you're not using plain PDO (or worse MYSQLI), but a slim API. For instance `pdo_query("SELECT * FROM x WHERE y in (?,?,?)", $a, $b, $c);` or whatever. – mario Aug 06 '14 at 01:40