-3

I was wondering if I'm safe from SQL injection if I have this in a script:

< script>

    //some stuff

    var item = <?php echo json_oncode($PHPVAR) ?>

    item.replace(/"/,'&quot').replace(/'/,'&#39');

    //do more script stuff with item

< /script>

currently using Laravel (PHP), with PDO Are there anything else that I should be aware of/look out for? (I didn't whitelist/blacklist before submitting to database b/c PDO does that for me from what I understand)

Also I'm asking b/c item is taken from a user input and it dynamically creates HTML using the value of item

mark4284
  • 31
  • 1
  • 8
  • 3
    It looks like you're writing JS, not PHP? – Synchro Jun 19 '15 at 20:38
  • 1
    This is client side, so no. Use prepared statements. Also is `json_oncode` a typo? – chris85 Jun 19 '15 at 20:38
  • I'd need pretty much the entirety of your code to be able to tell you if you're safe from sql injection. Generally, using pdo with prepared statements and never concatenating (adding strings together) user input into a sql statement (ie. Using parameters) will protect you. I cannot guarantee everything, though. – willaien Jun 19 '15 at 20:40
  • Prepared statements by themselves provide no protection at all - it just happens that prepared statements in PDO require you to use variable binding, and *that* is what gives you the protection. That you have to use prepared statements just to get that is annoying, unnecessary overhead. – Synchro Jun 19 '15 at 20:45
  • This is 100% safe against SQL injection since there is no database code at all – Norbert Jun 20 '15 at 00:48
  • I think prepared statements is what I'm looking for...and "item" is being mutated by jquery but afterwards will get passed to my laravel controller (in which prepared statements safeguard me from malicious inputs from what I'm seeing) And also "item" is being dynamically appended in jquery to an input like so: " etc etc " I'm just making sure so it doesn't mess with the dynamically created input thanks!! and yeah, it's a typo, I meant json_encode – mark4284 Jun 23 '15 at 15:18

1 Answers1

1

The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided.

Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily lies on how the Web Application handles user input.

Your question should be, "How does this piece of user input interact with my application?" -- ofcourse there isn't a set list of things to do in order to keep yourself protected from (B)SQLi (or other variants of Injection [XSS/LDAP]).

The following are some good resources that will help you out further with regards to SQL Injection on a whole (you need to know how the vulnerability works in general if you want to be able to cover something specific).

OWASP SQL Injection

Acunetix SQL Injection

SQL Injection Cheat Sheet

There isn't much more to specifically answer your question except maybe go deeper into how to handle user input with regards to the code you have provided (which we may but I don't think is required).

Juxhin
  • 5,068
  • 8
  • 29
  • 55
  • I think sql injection links you gave me and the prepared statements are the things I need. I did some sql injection before but I was just afraid that I might have missed something – mark4284 Jun 23 '15 at 15:27
  • @mark4284 - It's fine, you got some more references in the Acunetix SQL Injection link I added there if you need more. OWASP is also great for web vulnerabilities. – Juxhin Jun 23 '15 at 15:58