I am just reading up about mysql injection and I wanted to confirm that if you force a user to use list options for their input that is written to mysql (and those inputs are set as readonly) is the system essentially secure from mysql injection? would one need to put in measures to protect malicious mysql injection attempts for sites developed this way?
Asked
Active
Viewed 39 times
0
-
If you want to protect yourself from SQL injection, simply prepare your statement before executing your query. http://php.net/manual/fr/pdo.prepare.php – Jonathan Parent Lévesque Mar 25 '16 at 18:20
-
Prepared [PDO](http://php.net/manual/en/book.pdo.php) statements will stop nearly all SQL injection attacks. – Henry A. Mar 25 '16 at 18:20
-
Yes, a "good" user will use your lists. But what about the "bad" users? They will definitely not use your lists. Follow the comments from the other users. – Peter VARGA Mar 25 '16 at 18:22
-
Depends on where you are enforcing the limiting. If you're just giving them a drop-down on the page, they can edit the html and send arbitrary values. If you're validating the values received on the back-end, then, it's more secure. But best to use other methods to secure the database than that. – Keith Tyler Mar 25 '16 at 18:36
-
It's important to note that it's not just the usage of PDO "prepared statements" that prevents SQL Injection. What is important is that all potentially unsafe values are supplied to the statement through bind parameters, bind placeholders. (It's possible to write vulnerable code with prepared statements; I know it is because I've seen it done.) – spencer7593 Mar 25 '16 at 18:42
2 Answers
1
If I understand you correct then no. You can try to force the user but everything that the user enters, happens on the client side. Since this is on the clients side and the client has absolute control over the webpage he can manipulate it to whatever he wants or even genereate own POST or GET Requests regardless of the page he received.
There are some tools that can achieve this goal.
If you want to secure your database against SQL Injection I recommend that you use prepared statements only (How can I prevent SQL injection in PHP?) Any countermeasures that you take have to be implemented on the server side. You should always expect that the user sends whatever will break your code and do harm to you, regardless of the "restrictions" he has to his input.
-
1+10. @JRsz. It is so *very* easy to add a local proxy server (on the client) that lets you catch the request generated by the webpage, and modify it however you want, before it's sent back to the server. You are absolutely right that the request *must* be validated on the server. Any validation done on the web page in javascript is a convenience and speedup for the normal user. It's much faster to perform checks right on the client, before a request is sent, rather than sending a request that is rejected on the server, and having the server generate another response. – spencer7593 Mar 25 '16 at 19:11
-
That sounds interesting, can you give me a link for further reading? And I agree, that this is way easier, because handeling all possible faulty requests and generating appropriate responses is very annoying. Yet the easiest and most efficient way to tackle this issue (as far as I know). Simple Plugins like NoScript can disable all JS :/ – JRsz Mar 25 '16 at 19:17
0
Based on the information provided in the question:
Q: ... is the system essentially secure from mysql injection?
A: No, this doesn't guarantee that the system won't be vulnerable to SQL Injection.
Q: would one need to put in measures to protect malicious mysql injection attempts for sites developed this way?
A: The best measures against a malicious attacker exploiting a SQL Injection vulnerability is to prevent SQL Injection vulnerabilities in the first place.
And that means speicific coding patterns for the database interactions: prepared statements with bind placeholders. Or, at a minimum, properly escaping all potentially unsafe values that are included in the text of a SQL statement.
Your web page can have a drop down list box from which the user makes a choice, and your web page can do validation in Javascript. But that doesn't prevent a malicious attacker from bypassing that, and sending a request that doesn't conform the javascript validation.
The script on the server that handles the request will need to perform the validation... probably the same validation that was done in javascript on the web page that generated the request.
But any database interactions will also need to follow the normal patterns that prevent SQL Injection vulnerabilities (i.e. prepared statements with bind placeholders, or at a minimum, properly escaping potentially unsafe values.)
Multiple lines of defense.
It's not at all clear what you've been reading.
As a starting point, I recommend you review the information available from the OWASP project.
https://www.owasp.org/index.php/SQL_Injection
This isn't the be-all-end-all, but it's a good overview. If you are in a hurry, you can look at the SQL Injection Prevention Cheat Sheet.
spencer7593
- 106,611
- 15
- 112
- 140