-2

a little new to MySQL but, if I create a Page using HTML, CSS & JS do i need to use prepeard statements to prevent SQL Injections? Or only if i use text iput? Maybe me using text-input doesn't matter as user can edit files during use with browser-inspection tools to add one anyway.

If I use PHP instead of HTML for includes is it more easy to inject Code?

Lets say I set up a site using Siteground, where do i find the files I need to edit to prevent this, PHP or MySQL?

Or do I only need to worry about this if I write some custom PHP/MySQL code which handles incoming data to the database?

Or am I asking the wrong question?

Thanks!

-A

user6044774
  • 29
  • 1
  • 6
  • 1
    [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Jun 08 '16 at 10:32

1 Answers1

1

SQL injection is an attack type which consists of a user writing malicious code as user input and then posting it to the server. If the db server executes such a code, then bad things will happen.

To prevent executing malicious SQL provided in user input is equivalent of escaping dynamic parameters of queries. This can be done either by PDO or mysqli_real_escape_string.

So, to make sure you have no possibility for SQL injection, just check all the places where direct MySQL commands are executed and make sure the parameters are escaped.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • Are the files controlling this stored in folders kept at the same level as public_html or do I have to access them using phpMyAdmin? – user6044774 Jun 08 '16 at 11:14
  • You should search for .php files in all the subfolders and subfolders of subfolders and so on of public_html – Lajos Arpad Jun 08 '16 at 11:24
  • Okay, so if I haven't added php-files that posts values to or collects values from the database in the public_html, then I don't have to worry about SQL Injections? – user6044774 Jun 08 '16 at 11:29
  • If you have not added such files, that does not mean that there are no such files, maybe added by someone else. Just check all php files in your project folder tree. Not only those which are directly inside public_html, but those, which are under folders under public_html and so on as well. Is your project ever sending requests to the db server, like logging in and stuff like that? – Lajos Arpad Jun 08 '16 at 11:32
  • Well, you mean except for requests for files? Not really but if it's only in public_html and it's child-folders I need to look then that helps. Thanks! – user6044774 Jun 08 '16 at 11:39
  • Not requests for files. Just download the project locally and search for the word mysql or pdo and see where you find references. – Lajos Arpad Jun 08 '16 at 11:42
  • Seems like there aren't any so thats good – user6044774 Jun 08 '16 at 12:00
  • Ok. If my answer helped you, then you might consider accepting it by clicking on the tick button. – Lajos Arpad Jun 08 '16 at 12:09