stackoom
  简体   繁体   中英

Is this a good way for SQL injection prevention

 原文  2015-03-27 16:45:43       javascript/ php/ mysql/ pdo/ sql-injection

Question

i have read many things here about how to prevent SQL injection also on other website and forums. Only thing is thats it makes me really confused on the way how to protect your website when writing stuff to the database.

I'm creating as schol project something where there alot of input from the users wil be writte to the database, i'm currently check them by javascript if they contains iligal char. Then i use ajax to activate my controller, use the query in my model send it back to the view.

But lets go on on my problem.

If i validate a input first with javascript, (client-side), then server side with PHP. If i first check in php if the input contains iligal char like * '' `` > <, that kind of things. What you whould use in a query for geting information from the database. Then escape the whitescpases since i don't want to have things with spaces on the website as users input.

Then use mysqli_real_escape_string() on the input. Then send it to the query that will looks like this. 

/**
* @param string
* @param string
* @return mixed
*/
public function updateUsername($oldUsername, $newUsername) {
    return $this->_db->query("UPDATE `users` SET `username` = :new_username WHERE `username` = :old_username",
        [':new_username' => $newUsername,':old_username' => $oldUsername]);
}

So 1 > Check using javascript
2 > Check by php on char like * < > ' #
3 > using mysqli_real_escape_string()
4 > To the PDO query

Is this a good way for prefending SQL injection, i really don't want to send my school project live in the air with SQL injection haha.

Greetz,

Also many thanks for reading my long story

1 answers

solution1
 2 ACCPTED  2015-03-27 17:12:48

  1. No. Banning characters prevents people from using them and there are often valid reasons to use them. If it makes no sense for the characters to appear in the data, then you can filter them to help keep the data sane. Don't do it as a security measure.
  2. Ditto
  3. No. Parametrised queries are better.
  4. Yes, but not in combination with mysqli_real_escape_string since you shouldn't mix APIs and if you used both you would double escape things and put \\ characters in your data.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Javascript Injection prevention on Wordpress WebSQL injection prevention with Javascript Javascript injection attack prevention for textboxes JavaScript NoSQL Injection prevention in MongoDB Best Way to Prevent SQL Injection Using Javascript or C#? Which is good way to bind more than 10000 records with sql? Sequelize: SQL injection in findOne? a good way to validate the URL Closure (the good way book) Is this a good way to disable scrolling?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM