MySQL Statement Injection

Question

If someone is injecting MySQL statements to my PHP-based app. I use MySQLi real escape strings, however the attacker simply injects SQL statement. Let's assume:

http://example.com/?id=1

The attack simply injects a statement: http://example.com/?id=1 LIMIT 10

And, even after escaping the strings, the code is executed as follows.

SELECT * FROM ex WHERE id = 1 LIMIT 10

The app is quite vast and I would have to change every single line there. — Areeb, Feb 24 '16 at 04:17
There are hacky solutions. You could cast it as an integer, http://php.net/manual/en/function.intval.php; or you could rig up some regex. The best approach would be prepared statements though. — chris85, Feb 24 '16 at 04:21
What about some filtering class to wipe out all the statements from input? — Areeb, Feb 24 '16 at 04:28

score 0 · Accepted Answer · answered Feb 24 '16 at 04:09

0

MySQLi real escape strings does not prevent SQL injection, It simply helps prepare query string data and escape sensitive characters. You need to use Prepared Statements.

answered Feb 24 '16 at 04:09

Nick

1,783
1
15
18

Is there any way to prevent this? I am not using prepared statements, any idea to fix this real fast? – Areeb Feb 24 '16 at 04:11
@Areeb start using prepared statements. For the particular instance you describe, you know you need a number. Use `is_numeric`. – Feb 24 '16 at 04:17

MySQL Statement Injection

1 Answers1