What is the best way to prevent SQL Injection for statements like ALTER DATABASE or CREATE EVENT because it's not supported by the prepared statement protocol yet? Or is this even necessary to do because the user probably got the permissions anyways?
Asked
Active
Viewed 34 times
1
-
1You want this https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php ? – Theo27 May 10 '21 at 12:22
-
Yeah, for normal queries it's perfectly fine, but for some statements, the prepare function is not supported to use yet. What can I do about these? – Green May 10 '21 at 12:26
-
2Start by explaining what parts of those types of statement would have to be “dynamic” in your application to begin with. Why/where do you need to handle _user input_ within those? – CBroe May 10 '21 at 12:36
-
I'm writing on a database class and for this, I have statements like 'CREATE $event_name ON SCHEDULE $event_schedule DO $event_body'. This should not be my private class so it should be secured somehow if someone else uses it. – Green May 10 '21 at 12:42