2

Would this simple table name sanitisation be enough to prevent SQL injections?

$table = str_replace('`', '', $table);
$table = '`'.$table.'`';

Note: I use PDO.

Emanuil Rusev
  • 34,563
  • 55
  • 137
  • 201

2 Answers2

2

If you are allowing the user to select which table they query from, the only way to "sanitize" and verify no hacking would be to have a whitelist of allowed tables. Your method would fail to allow for other database schemas also. This could also be as simple as querying for a list of tables from a specific database.

I don't have a mysql instance to play with to try to find bad table names. I can say though that while I can't think (or really test and verify) a way to bypass this, I can say that I can think of several ways that the query would straight up fail. Trying to access other databases otherDB.tableName or selecting from multiple tables with joins. While this would likely cause an error, you still don't want to take the chance of someone finding something that will go through.

Jonathan Kuhn
  • 15,279
  • 3
  • 32
  • 43
  • Hm... how would restricting the character set not provide adequate sanitation? alphanumeric plus _ and - would be just fine. – Peter Kionga-Kamau Feb 25 '23 at 01:42
  • @PeterKionga-Kamau In reality, any user input should be considered bad and untrusted. It would most likely depend on the situation, however, one example might just be that you don't want the user to query for any table like a users table or information_schema. It all comes down to what you are accepting as user input and what you are allowing the user to submit. – Jonathan Kuhn Mar 06 '23 at 04:39
1

If you want to be super safe, and avoid errors you could query the INFORMATION_SCHEMA to check if the table exists. Then you will know the tables exists, and can catch an invalid table earlier. You can also limit to a particular schema.

  1. split the input into DB and Table (if necessary)

  2. Select table_name, table_schema from information_schema.tables where table_schema = 'db' and table_name = 'tableName' (note: you can use parametrized query here to prevent injection)

  3. If you get a return, might as well use the returned values (table_schema.table_name), else not a valid table

  4. Then perform your query, knowing that the table exists, and is valid

This extra query of checking information_schema, could cause some overhead, but maybe you could optimize for your specific need.

Dan
  • 10,614
  • 5
  • 24
  • 35
  • *"note: you can use parametrized query here to prevent injection"* - Can you elaborate on that? I hope you don't mean something like [`SELECT * FROM :table`](http://stackoverflow.com/q/182287/) by this. – Funk Forty Niner Apr 28 '15 at 20:23
  • @Fred-ii- Since the user input values are in the WHERE clause you can use parametrized query. I'm assuming the catalyst for this question is that you can't use parameters in the FROM clause, so I was just pointing out that this way, the only time you use user input in a query, it is possible to use prepared statements to make it safe. – Dan Apr 28 '15 at 20:26
  • Not really, as the query that checks the existence of the table is still a query and vulnerable to injection... – Peter Kionga-Kamau Feb 25 '23 at 01:43
  • @PeterKionga-Kamau I said to use a parameterized query for that very reason. – Dan Mar 08 '23 at 19:18
  • @Dan But your code doesn't use parameters - it sounds like you are suggesting that they are optional ("you can use..."), it's risky and worth noting that it's risky. – Peter Kionga-Kamau Mar 09 '23 at 06:07