4

Is there a list of SQL injection methods which can't be protected with just using mysql_real_escape_string(); with utf8 encoding?

For integer, I'm using intval(); Is it secure enough?

For those who think I want to get "tutorial" to hack anyone: No, I won't. I just want to know how to make my applications more secure, and I want to know if they're secured 99% against hackers

genesis
  • 50,477
  • 20
  • 96
  • 125
  • 1
    Closely related: [Is mysql_real_escape_string() broken?](http://stackoverflow.com/q/5288953) – Pekka Jul 12 '11 at 15:26
  • @Pekka: And is there any reference WHY shouldn't I set "SET NAMES utf8" in normal mysql_query();, or just because mysql documentation recommends it ? – genesis Jul 12 '11 at 15:34
  • if mysql_real_escape_string() and the database connection assume different connections, there is the possibility of vulnerabilities under some circumstances, as explained here: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string – Pekka Jul 12 '11 at 15:38

3 Answers3

3

If given a valid database connection, mysql_real_escape_string() is supposed to be safe for string data under all circumstances (with the rare exception described in this answer).

However, anything outside a string, it won't escape:

$id = mysql_real_escape_string($_GET["id"]);

mysql_query("SELECT * FROM table WHERE id = $id");

is still vulnerable, because you don't have to "break out" of a string to add an evil additional command.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • @genesis generally speaking, anything outside a string - e.g. when using dynamic column or field names. Which is one reason why they are a bad idea. – Pekka Jul 12 '11 at 15:24
  • and mysql_real_Escape_string(); doesn't escape `? – genesis Jul 12 '11 at 15:31
  • 1
    @genesis nope. "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a." – Pekka Jul 12 '11 at 15:33
1

There are not many sql injection methods. They are always due to input not being sanitized and escaped properly. So, While mysql_real_escape_string() will make any string safe to be included in a database query, you should follow the following avoidance techniques to protect your data and users from sql injection.

  • Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.
  • Check if the given input has the expected data type.
  • If the application waits for numerical input, consider verifying data with is_numeric(), or silently change its type using settype()
  • Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function. So mysql_real_escape_string() will make all strings safe to be included in an SQL query to a mysql database
  • You could also learn to use stored procedures and prepared statements which tend to be very safe but have other impacts

See also: PHP page on SQL injection

shxfee
  • 5,188
  • 6
  • 31
  • 29
0

There are many things that may not get protected by standard methods (e.g. string escaping, int casting), also depending on the version of software you use. For example, utf-8 is quite an issue by itself, as a tiny example (among many) you should make sure the request is valid utf-8 (or convert it into utf-8). See an example.

As the undead bane of websites, I think that MySQL injection protection cannot be squeezed into a single SO answer, hence I'm including these links as general starting points.

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

And also : Search for mysql injection utf8

Community
  • 1
  • 1
Halil Özgür
  • 15,731
  • 6
  • 49
  • 56