Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>The general rule is to deny everything and allow through only valid characters, rather than removing what you consider to be invalid. The most important aspect is what you do with these string afterwards. If you have a line later saying: <code>tsql = "SELECT * FROM Users WHERE Username='" . $username . "' AND "</code> then this is the primary area of risk, although <code>mysql_real_escape_string</code> should avoid this.</p> <p>By using a libraries or features that allow passing of parameters to the database there can never be any sql injection, as the database parameters can't be interpreted into TSQL, leaving only PHP/Javascript injection as a possibility. Basically, look at the <code>bind_param</code> functions as the only true protection.</p> <p>Whenever displaying data on-screen, consider something like <code>htmlspecialchars()</code> to convert it to HTML. There's no point in storing something escaped if you need it un-escaped later, and raw data in the database poses no risk as long as you always consider it raw.</p> <p>In summary, the code you list may or may not reduce injection, but there are too many combinations to exclude every possibility, including aspects such as a user using single quotes (you're only replacing double quotes). All user input data is potentially dangerous. Feel free to store it raw, but whenever USING it make sure your operations are protected using one of the above options.</p> <p>My PHP is a bit rusty now, but exactly the same rules apply to SQL Server, Oracle, .NET, Java any any other database/language.</p>
    singulars
    1. This table or related slice is empty.
    1. POIs this code sufficient to protect me from SQL injection attacks, and PHP injection attacks?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USJSobell
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POIs this code sufficient to protect me from SQL injection attacks, and PHP injection attacks?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COLater, I have a line that says: `$result = mysql_query ('SELECT * FROM users WHERE username = "' . $username . '"', $dbconn);` I don't search for the password within the query. A few lines later, I test the supplied password against the password on the db.
      singulars
      1. PO
      1. USFredashay
    2. COYes, this is exactly the type of thing to avoid! If someone finds a flaw in your complex logic they can inject any statement into that SQL. Look at the `bind_param` functions in mysql lib and use those. No escaping will then be required at all. In theory you can assume that `mysql_real_escape_string` protects against this, but I never take that chance.
      singulars
      1. PO
      1. USJSobell
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload