Automatic SQL injection prevention php libraries

Question

Is there any automatic SQL injection prevention PHP libraries. Something like, check the incoming parameters like GET,POST and check the possible SQL attack signatures before continue executing the site's codes.

Like example: http://www.example.com/index.php?page_id=')//UniON//aLL//SELECt//nULL,nULL,nULL,nULL,nULL,nULL,nULL,nULL,nULL,nULL--/**/uHkS

In above URL I have passed sql syntax in GET parameter, PHP libraries will check the GET, POST parameters before the project codes started executing and if any SQL attacks include, will exist the request immediately.Throw an exception message.

Read about [PDO](http://php.net/manual/en/book.pdo.php) and [Prepared statements](http://php.net/manual/en/pdo.prepared-statements.php) — Alon Eitan, Jul 06 '16 at 05:55
Stored procedures are also highly recommended against SQL-injections. — rhazen, Jul 07 '16 at 13:37

Philipp · Answer 1 · 2016-07-06T05:57:03.157

As had been written in the other comments: There is no library to automatically detect attacks on your database via request.

It would be a really bad to immediately cancel the request if there is data incoming which could cause a threat to database operations.

Just take a normal form with an input for the name of the use. His name is Brian O'Connor... well, seems he won't be able to use your program.

The library would need to have a semantic check to see, if the user wants to mess up your database. To do this semantic check, the library would also need to know what kind of data is actually expected. In the mentioned example, when expecting a name you might be sure "drop table" would be not wanted input, but it would be a lot of overhead to define the rules of what is wanted for every input.

If you always treat the userdata correctly (By using prepared statements or the escaping/quoting-function of your database-api), you will have some weird data in your tables (if someone actually tries to inject you sql) but that won't hurt you I guess.

unixmiah · Answer 2 · 2016-07-06T07:29:37.773

-2

There are things you can do on the database end by using PDO or Prepared Statements or you can sanitize POST or GET data on the server side script's end.

$safe_data=filter_input(INPUT_GET, 'comment', FILTER_SANITIZE_SPECIAL_CHARS);

Because this function only works on a single GET parameter at a time, you might want to write a function to make a new array (e.g. $SAFE_GET) which iterates through the GET parameters and sanitizes them all in one go.

Alternatively you can set a directive in the php.ini file to default to sanitizing all input for HTML safety:

filter.default="special_chars"

I don't think there are php libraries that can sanitize that; you have to be careful with how you handle your data.

For both POST and GET, sanitize user input. With all types of Fuzz Testing and performing Q & A, you application should be secured.

edited Jul 06 '16 at 07:29

answered Jul 06 '16 at 07:09

unixmiah

3,081
1
12
26

is ever? what if the malicious uses a form? – unixmiah Jul 06 '16 at 07:16
what if the malicious uses no form? – Your Common Sense Jul 06 '16 at 07:18
It's not only done on the url, it's also triggered from a form; both ways. How else could a script be executed? – unixmiah Jul 06 '16 at 07:20
Bingo, it can also be executed from a command line with a cURL request. – unixmiah Jul 06 '16 at 07:21

Automatic SQL injection prevention php libraries

2 Answers2