SQL Injections, Bound Paramaters, Multiple Varibales and other such joys...

Discussion in 'PHP' started by Rory M, Apr 21, 2008.

0
  1. #1
    Hi everyone,

    I am an intermediate PHP developer and I am just finalising a site for beta release. In the joys of the modern age (yay, hackers) I realise that I need to take steps to prevent SQL injections, so I read a few articles. Everyone of these articles seemed to recommend that I use Bound Paramaters. I kind of get the idea, but I have hit a problem.

    The code that was given by example on their site was:

    $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;");

$sth->execute($email);
    PHP:
    Where $email was given by a form.

    This is fine for a single variable, however what about on a registration form? Or anything else where there are MULTIPLE variables? I mean, do I use multiple ? marks or what?

    Grateful for advice as always;
    Rory
     
    Rory M, Apr 21, 2008 IP
  2. Acecool

    Acecool Peon

    Messages:
    267
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #2
    cough ; delete from members; --

    insecure.....
     
    Acecool, Apr 21, 2008 IP
  3. Rory M

    Rory M Peon

    Messages:
    1,020
    Likes Received:
    37
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Would you suggest something better then?
     
    Rory M, Apr 21, 2008 IP
  4. Louis11

    Louis11 Active Member

    Messages:
    783
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    70
    #4
    I'm not quite sure what he is talking about . . . his example is nothing more than a typical SQL injection provided in any decent paper on SQL security.

    If you utilize bound parameters correctly, his provided example would not execute successfuly.

    Basically, you need to sanitize your user input. Strip out all apostropes, and anything that may be considered an SQL statement. There are several proprietary commands in PHP that will allow you to do this. For example mysql_escape_string().

    For using bound parameters, basically you are separating data and the SQL so that data is not executed as an SQL query. Here is some information on it provided by OWASP: http://www.owasp.org/index.php/Avoiding_SQL_Injection

    On a side note, you may want to familiarize yourself with OWASP, there is a TON of good information on web application security provided here.

    You may also consider looking at preventing SQL injections with embeddings as outlined in this research paper: http://portal.acm.org/ft_gateway.cfm?id=1289975&type=pdf

    The paper covers an API that may help you do exactly what your requesting called "String Borg". You may find the API at: http://www.program-transformation.org/Stratego/StringBorg

    And finally, you might consider implementing PHPIDS (intrusion detection system): http://php-ids.org/

    Cheers,
    Louis
     
    Louis11, Apr 21, 2008 IP
    Rory M likes this.
  5. Rory M

    Rory M Peon

    Messages:
    1,020
    Likes Received:
    37
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Well, thank you for your constructive comment, I will definitely read through those links.

    Thanks Again,
    Rory
     
    Rory M, Apr 23, 2008 IP