Recipe 18.5. Eliminating SQL Injection


18.5.1. Problem

You need to eliminate SQL injection vulnerabilities in your PHP applications.

18.5.2. Solution

Use a database library such as PDO that performs the proper escaping for your database:

<?php $db = new PDO('mysql:host=localhost;dbname=users',               $_SERVER['DB_USER'],               $_SERVER['DB_PASSWORD']); $statement = $db->prepare("INSERT                              INTO   users (username, password)                              VALUES (:username, :password)"); $statement->bindParam(':username', $clean['username']); $statement->bindParam(':password', $clean['password']); $statement->execute(); $db = NULL; ?> 

18.5.3. Discussion

Using bound parameters ensures your data never enters a context where it is considered to be anything except raw data, so no value can possibly modify the format of the SQL query.

If you do not have access to PDO, you can use a database library written in PHP, such as PEAR::DB, that offers a similar feature:

<?php $st = $db->query('INSERT             INTO   users (username, password)             VALUES (?, ?)',             array($clean['username'], $clean['password'])); ?> 

Although this method still intermingles your data with the SQL query, PEAR::DB ensures that the data is quoted and escaped properly, so there is no practical risk of SQL injection.

18.5.4. See Also

Chapter 10 for more information about PDO, particularly Recipes Recipe 10.6 and Recipe 10.7; documentation on PDO at http://www.php.net/pdo; on PEAR::DB at http://pear.php.net/manual/en/package.database.db.php.




PHP Cookbook, 2nd Edition
PHP Cookbook: Solutions and Examples for PHP Programmers
ISBN: 0596101015
EAN: 2147483647
Year: 2006
Pages: 445

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net