0

From a long research, I find that parameters to prevent injection is a great practice, but should I use it in every query or just in login page?? and why

thank you so much

Sultan
  • 21
  • 2
  • 2
    You should use it whenever you receive input from client and perform some operations on database. – kammy Mar 26 '15 at 04:58
  • what do you mean by 'parameters to prevent injection'? – Ja͢ck Mar 26 '15 at 05:16
  • possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jeremy Mar 26 '15 at 05:43

1 Answers1

1

Code should always use parameter bindings for SQL.

It does not matter where the data comes from; skipping this can lead to second order SQL injection, or cases of "I forgot to update the code". Just use SQL parameters all the time.

The only general exception is when this cannot be done, such as when needing to alter the non-data in the query itself (eg. table name) - in such a case there are additional techniques to mitigate SQL Injection.

While an essential cornerstone, parameter bindings are "not enough".

Correct use of query parameters prevent all "Classic" SQL Injection, by definition, but does not guarantee that the query is secure.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution..

That is, while the following is free from SQL Injection because the query shape cannot be altered it is still not guaranteed that the query is "safe" or "secure".

$name_from_user = $_GET['name'];
prepare('SELECT nuke_code FROM secrets WHERE name = :name');
execute(array('name' => $name_from_user));

This is clearly a potential security (fsvo) risk because it used untrused / unvalidated data in the query. In such a case, only trust data from the server or that can be validated by the server before executing the query.

Additionally, SQL Injection (and thus parameters) do not cover violation of business rules. These should be enforced separately from "sanitization/validation for SQL". Hopefully the code uses a DAL/BLL such that the logic is not strewn across dozens of PHP files ..

All that needs to be remember when answering the base question is that using SQL parameters ensures the data supplied makes it into the SQL without altering the query shape. As such they should always be used - or else the code is setting itself up for failure.

I realize that "always" and "only" are absolute extremes, but I've yet to find an example in general code when such are violated. It is also irrelevant if the underlying driver uses escaping internally or real parameterized queries - the point is using parameters (besides making the queries cleaner) remove this responsibility in a consistent and reliable manner.

user2864740
  • 60,010
  • 15
  • 145
  • 220