All Questions
163 questions
1
vote
0
answers
50
views
How to Enhance Security Against SQL Injection in PHP with PostgreSQL? [duplicate]
I've implemented a PHP script to handle form submissions and insert data into a PostgreSQL database. However, I'm concerned about the potential security vulnerabilities, particularly SQL injection. ...
user12696830
2
votes
2
answers
136
views
PHP: Prepare JSON selector to Prevent MySQL Injection
What is the best/proper way to prepare a dynamic MySQL JSON selector for queries, in order to prevent SQL injection? As an example, say I want to execute the following query:
SELECT `key` ->> &...
- 2,633
0
votes
1
answer
53
views
Protection query against SQL injection, using PDO [duplicate]
may I ask you how to make this protected against sql injection?
I have
$podminkazeme = "";
$podminkakraj = "";
if ( isset( $_GET[ "zeme" ] )and !empty( $_GET[ "zeme&...
1
vote
0
answers
48
views
Can we use variable value in direct query using OOPS concept ? - SQL Injection [duplicate]
I am creating a website using PHP PDO oops concept. For like - I want to count columns for different columns. I have created a function in a class. I follow all steps to secure data (SQL injection).
...
- 11
2
votes
0
answers
109
views
How to use where as function and select function in POV of SQL Injection [closed]
As I have to fetch data multiple times so I created select function and where function is it write way to way to use and also in point of view of SQL Injection , this way is not good ? Please guide
...
- 35
-1
votes
1
answer
126
views
PHP SQL Injection Failing [duplicate]
I work as a coding school mentor and I am introducing my students to PHP and concepts like PDO and prepared statements. To show them how prepared statements(among other things) can be useful in ...
- 1,466
2
votes
1
answer
146
views
Is My PDO Prepared Statement Secure If I Bind The Parameters In The Execute Function?
I have some form data that I'm writing to a database with PDO prepared statements.
This form data is santized and validated on the on the way in to the database with filter_var() functions and regular ...
- 947
1
vote
1
answer
189
views
Create a PHP application vulnerable to multi-statement SQL injections
I am trying to create an application in PHP using PDO that is deliberately vulnerable to SQL injection for educational purposes. The underlying database is Postgres.
With pdo->query I can ...
- 1,336
2
votes
2
answers
96
views
When should one use PDO::query? [duplicate]
I have just learned that in order to avoid SQL injections it's better to use the prepare/execute duo:
$pdo = new PDO ('mysql:host=something;port=something dbname=something','name','pswd');
$sql = &...
- 97
0
votes
3
answers
219
views
Is the switch-function SQL-injection safe?
I'm trying to access entries from the database with variable column names.
I have this table containing vehicles that can belong to one of three categories (car, bike, truck):
vehicle
car
bike
truck
...
- 79
-3
votes
1
answer
290
views
How to address second order SQL injection without using PDO or binding in PHP application
How to address second-order SQL injection without using PDO or mysqli binding in PHP application. I did many research but all point to PDO which I do not have. mysql_real_escape_string PHP escape is ...
- 409
1
vote
0
answers
23
views
Is this a sufficient prepared statement? [duplicate]
I've read through many of the recommended questions regarding php, pdo and prepared statements, but I still find myself questioning if what I have is enough to prevent an sql injection or other attack....
2
votes
2
answers
176
views
Is this form using radio buttons safe from SQL Injection?
I'm trying to make a dynamic search feature on my website, where the user can choose to look up claim information based on ID, Make, Model, or Date. There is a search bar to type in the data and the ...
- 139
0
votes
0
answers
27
views
PHP PDO Bind Param with Having Clause where aggregate function mixed with variable [duplicate]
I am building an SQL Library for my framework which I am making for a university project.
I have finished all the helper methods and I am confused about one thing.
How do I bind a parameter or value ...
user11995521
1
vote
1
answer
233
views
PDO and SQL Injection concerns [duplicate]
I'm sorry about the title being a little unclear but I'm new where. I was wandering around StackOverflow and came across an answer stating that when executing a SQL query, data should never be fed ...
- 80
1
vote
3
answers
747
views
How to create safe (avoid SQL injection) pagination using PHP and PDO and prepared statement?
I was searching for creating PDO pagination and I found this answer, which vulnerable for SQL injection.
I'm wondering about the easiest way to convert this code to be SQL injection safe.
Update #1
...
- 15.7k
0
votes
0
answers
38
views
Updated: How to parameterized a query having 'IN' clause? [duplicate]
We are using raw query in our project.I want to parameterized my sql query to avoid sql injection, facing issue with 'IN' clause.
IN clause have every type of value in it like 'string', 'int', both
...
- 238
1
vote
2
answers
224
views
Does by type hinting in php (using versions >7.0) the function parameters make the code sql-injection safe?
I have the following piece of code (inherited from previous dev):
declare(strict_types=1);
function updateWithCurrentTime(PDO $connection, int $id): void{
$date = date('m/d/Y h:i:s a', time());
...
- 9,962
-1
votes
1
answer
86
views
Is this a 100% safe from SQL Injection and will word correctly for any input? [closed]
$a=$_GET["a"];
$b=$_GET["b"];
$a=str_replace("%", "\%", $a);
$b=str_replace("%", "\%", $b);
$sql="SELECT * FROM table ";
$sql.="WHERE ColA LIKE :txtA AND ColB LIKE :txtB";
$query = $db->prepare($...
- 55
0
votes
1
answer
2k
views
PHP What is the default charset for pdo mysql
I was reading about the second order MySQL injection on this page Are PDO prepared statements sufficient to prevent SQL injection?.
and it brought many questions about the charset, and I am not sure ...
- 323
0
votes
1
answer
298
views
PHP - execute function doesn't work with implode
Okay, I don't know what exactly the problem is. So, I decided to post it here to discuss it with you.
The Problem is that, When I use php implode function in PDO execute(array(implode(",",$imploded))))...
- 138
0
votes
0
answers
170
views
secure way to upload text and image in php
Just want to check how vulnerable are my scripts and projects. From the research of expert's blog and answer, I found possible attack and injection is based on
file types
sql statements
access to ...
- 929
1
vote
2
answers
157
views
is it safe to not escape my input in sql
I am wondering should i used named parameters for only user input or do i have to do it for all for example
$id = $_POST['id'] ;
$update = $conn->prepare("UPDATE users SET profile ='reset',
...
0
votes
0
answers
52
views
Using mysql_real_escape_string() instead prepared statement in IN operator [duplicate]
I'm in a situation where I can't mix named and positional parameters in my PDO prepared statement. It's a long story but to simplify I decided to just ditch prepared statements when using IN operator.
...
- 15.8k
3
votes
2
answers
335
views
Is it safe to use Bound Parameters as User-Defined Variable in MySQL?
THE ISSUE
I understand that using prepared statement prevents injection as the prepared statement execution consists of two stages: prepare and execute.
OK, but I do not really get what is going on ...
- 1,760
0
votes
1
answer
422
views
How can I prevent SQL injection using foreach to insert multiple rows?
On the client side, the user can specify categories (think menu categories like Appetizers, Entrees, Desserts). My goal is to store these categories in my database. My code works but I fear the $...
- 511
-2
votes
1
answer
256
views
Php Mysql PDO prevent sql injection while creating table
I have to create table in mysql dynamically. Column names will be provided from client at runtime. And it is also said that don't add user input directly into query.
create table test(...
- 1,823
0
votes
0
answers
36
views
Using a PHP array within a MySQL/PDO WHERE IN statement [duplicate]
I'd like to safely use an array of strings within a WHERE IN SQL statement. For example:
$myArray = array('a','b','c');
Would be converted to something like
SELECT * FROM myTable WHERE name IN ('a'...
- 4,867
3
votes
1
answer
135
views
Secure, extensible database with dynamic prepared statements
Problem:
My task is to create a database to hold information about various products and to create RESTful api to serve and manage this information. But the client doesn't know exactly what all ...
- 33
1
vote
1
answer
1k
views
Single Quote Escape in PDO Prepared Statement Parameters
So I understand PDO Prepared Statements should protect from SQL injection and ' escapes. But when I attempted the following...
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["id"]))
...
- 119
0
votes
1
answer
447
views
How to replace mysql_escape_string by PDO::quote()
I'm learning PHP using http://www.elated.com/articles/cms-in-an-afternoon-php-mysql/ that has been very useful so fare but cannot get my head around to replace the deprecated mysql_escape_string.
I'...
- 381
-2
votes
1
answer
3k
views
How to prevent SQL Injection in Laravel 5.4
I am using Laravel 5.4. I have a form where I take some inputs from user. The form variables are directly inserted into database. I want to make sure the sure does not enter anything that could harm ...
- 1,701
1
vote
1
answer
419
views
Inserting ampersand into SQL table through PDO
I'm currently able to insert data into a SQL DB using the .php below however if the data contains an ampersand it treats it as a PHP statement and the ampersand doesn't get inserted into the DB.
For ...
- 61
2
votes
3
answers
124
views
Am i safe from SQL injection if i know for sure that a certain value i am using in a dynamic statement is an integer?
Before i make my query, i check if the variable that is to be used in that query is an integer using this code: filter_var($_POST["user_id"], FILTER_VALIDATE_INT) !== false.
My question is, should i ...
- 2,507
4
votes
1
answer
84
views
Confused about when mysql code is injection proof using PDO
I understand the basic idea of how mysql statements can be vulnerable, but every time I try to find a useful guide, the ways to achieve this with PDO looks different from eachother. Also, I´m ...
- 193
2
votes
1
answer
1k
views
PHP PDO Security Procedures for Simple Inserting into MySQL
I'm just starting to learn PHP (alongside SQL) and I've looked a lot into security measures. This website: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
has helped me, although most of it ...
- 21
2
votes
1
answer
350
views
Idiorm pdo prepared statement
I want to use the following idiorm (orm): https://github.com/j4mie/idiorm.
It features following:
Built on top of PDO.
Uses prepared statements throughout to protect against SQL injection attacks.
...
- 87
0
votes
0
answers
82
views
What is this sql injection attack and what should I check to see I am not vulnerable
I am escaping through PDO all my inputs.
From time to time I see in my logs the following attack:
1 AND 1=2 UNION SELECT 0x6461726b31636f6465,0x6461726b32636f6465,0x6461726b33636f6465,...
- 53.5k
1
vote
0
answers
260
views
How to convert from mysqli to PDO with function that hides empty columns
I have an html-form to read out data from a DB that are then dislayed in an html-table. Columns that contain no values should not be displayed. This works well with the following code using ...
- 89
0
votes
0
answers
61
views
PDO Bind IN with WHERE AND
PHP - Using PDO with IN clause array
I have seen these but it only says to BIND IN but i also want other parameters with IN.
"SELECT * FROM table WHERE id IN($list_of_ids) AND type = $type AND ...
- 155
0
votes
1
answer
155
views
How can I convert MySQLi into prepared statements? [duplicate]
I'm very new to PHP/MySQL so please understand, however am trying to implement a complex login system into my site. So far I have the registration done, however have not done it using prepared ...
- 29
0
votes
2
answers
80
views
A safer PDO::prepare?
Using PDO::prepare potentially greatly reduces the possibility of SQL injection, because it allows parameterized queries. However, as it also allows non-parameterized queries, its safety depends ...
- 3,730
1
vote
0
answers
507
views
Trouble addressing sql injection with PDO
tl;dr: Rewrote database class using mysql to use PDO instead to make use of prepared statements, but running sqlmap from Kali still extracts tables from the website's database. How?
Longer version:
...
- 33
-2
votes
1
answer
36
views
Would this source of code be "Safe" from SQL injections?
Would the following source of code be safe from SQL injections? If not, would you please provide a way to make it more secure?
Please note: Database credentials were hidden for security while making ...
- 41
0
votes
0
answers
95
views
secure dynamic parts of prepare statements [duplicate]
I am implementing prepared statements with dynamic parts like so
$stmt = $db->prepare("SELECT * FROM" .$table. "WHERE id=? AND name=?");
The "table" part is dynamic , is a variable that contains ...
- 4,338
-2
votes
1
answer
124
views
How are prepared statements implemented at code level and which entitity implements them?
Say we have a typical prepared statement query like so:
$db->query("SELECT * FROM users WHERE id = :id");
$db->bind(':id', "x ' OR 'x' = 'x");
$db->execute();
Question
What is the ...
- 8,081
0
votes
2
answers
702
views
PHP, PDO, MySQL - Multiple INSERT vulnerable to injection? [duplicate]
In my application (PHP) I am going to request ~3000 rows from an API and insert these in a MySQL table using the PDO driver.
Although the data to be inserted isn't user input, it is out of my hands ...
- 435
4
votes
1
answer
783
views
Doubts of security: Mysqli vs PDO [duplicate]
i've started to create my website, but now i have few doubts. I've searched, that MySqli object oriented is good to use because you can prepare the queries, use bind_param and execute. The MySqli from ...
- 51
-1
votes
2
answers
757
views
White listing effectiveness against SQL Injection
Let's say I had something like the following:
function return_some_info($db, $id){
if (! preg_match("/^\d{5}$/",$id)) {
header("Location: safepage.php");
exit;
}
$query="...
- 1
1
vote
1
answer
930
views
Is it safe to pass form request directly to model in Laravel/Eloquent?
I'm using Laravel/Eloquent outside of the the laravel..
for some user scenarios i need to write my own Validation Class since I'm not using all the Laravel components..
So my question is:
should I ...
user4412122