sql injection


#1

Hi
How can I test if my database is sensitive on sql injection? how to check?I was looking for answer online but there is no straight answer. I need to check is my DB is protected. whern I upload website ( its not done 100%) just testing php I get weird code ( script and sql ) in my DB.


#2

Do you use prepared and parameterized queries? If so you are ok. If not you are vulnerable.


#3

yes but I want to double check if it 100% serucred and hope I didn’t make any mistake


#4

is this a good way to do this?
https://www.w3schools.com/php/php_mysql_prepared_statements.asp


#5
I get weird code ( script and sql ) in my DB

If the sql you tried to inject was treated as data, rather than being treated as sql syntax, your method might be safe. It would take seeing your code and seeing what data you tried and what actually got inserted to help.

is this a good way to do this?

That’s what a prepared query is, but don’t do it as shown at w3schools. The w3schools php code examples are filled with bad practices.

What you should do is -

  1. Use the php.net documentation to learn the basic usage of any php statements.

  2. Use the php PDO extension. It is much simpler and more consistent than the php mysqli extension.

  3. Use ? place-holders whenever possible.

  4. Don’t explicitly bind any inputs, even if executing the query multiple times. Binding occurs wholly within the php extension and takes extra statements, causes extra processing, and in the case of specifying an integer type, limits values to php’s maximum integer value, which can be less than your database column definition, which will break your application. Instead supply the input data as an array to the PDO ->execute(…) method call.

  5. Don’t unconditionally echo connection and query errors onto a web page. This gives hackers information they can use, especially on shared web hosting, where multiple accounts have access to the same database server that you have, and where there is no incorrect authentication detection and reporting on the database connection attempts. You should display errors when learning and developing/debugging code/queries and log them on a live/public server. The simple way of doing this is to use exceptions for database statement errors and let php catch the exception where it will use its error_reporting, display_errors and log_errors settings to control what happens with the actual error information. The only time your code should catch and handle a database statement error is when detecting and handling duplicate data values.

Edit: 6) When you make the PDO database connection, in addition to setting the error mode to exceptions, set the character set, turn off emulated prepared queries, and set the default fetch mode to assoc.


#6

Thank you
I’m using mysqli, beacuse I think it was the easest way to learn. I will have a look at PDO as well. I thought that w3school is a good way to learn basics. I will have a look at the documentetion as well. Thank you for the tips


#7

If you insist on using mysqli then I would use the Object-Oriented Programming method instead of the Procedural Programming method for you will find it easier switching over to PDO when you do. I don’t know how true this is, for I read it somewhere on the Internet the doing the procedural way in mysqli that it’s just using an extra layer of coding ( a wrapper) anyways.


#8

I just learning PDO way to code, but I think the mysqli its easier to learn :slight_smile: I want to protect website and everyone is telling me that PDO is better them mysqli, so I don’t have a choice


#9

Either is fine but most seem to like PDO better. I don’t think Mysqli is any easier to learn than PDO, you don’t have to fully understand OOP etc to use PDO - and if you use a proper IDE that autocompletes methods (prepare, execute etc) then using it for normal web apps should be a walk in the park


#10

maybe you are right. I had basic knowledge about mysqli from college, that’s the only reason, nobody told us about PDO( they just mention few words). I will show you my simple website when I’m done so you can have a look.


#11

It’s better to get some insight/critique before you finish everything. You might want to do something based on the feedback you get :wink:


#12

I will show you guys I just want to finish design today. I’m creating small website adding, deleting adverts ( without login , registration) I know I will get lot of spam, I will keep eye on the adverts and if I get too much spam I will add registration form. I’m just trying to make it easest as possible for user.


#13

you can have a look at my web page ( not finished yet) www.ofertowi.pl - polish small website adding deleting advert and forum will be done tonight to chit chat :slight_smile: test all you want . It’s hard to do anything by myself


#14

The site looks good, clean and nice UI so you seem to have gotten a good start

.background
the background for modals shouldn’t be a fixed height, it looks silly on 4k monitors (any monitor with more px vertically than 1000)

The link to open advert details seem strange and is hard to find, at least in chrome. I’d suggest changing so the whole article list item div is a link, and instead of POSTing just use a link with the ID of the advert object in the url (GET). Atm all your advert detail pages will have the same URL so browser, search engine cache etc will definitely mess this up. I also strongly suggest using the ID to reference objects instead of a text string. If you want to use a text string then you could look into “sluggifying” the title of the object so they can be used in “pretty” urls.

Why are images inlined with src=base64? Seems to suggest they are stored in the database which is a huge waste as you’re filling the database with lots of data you can not query. If you move them to disk they can also be cached, both by your web server but more importantly by your users web browsers.


#15

thank you for your feedback . I don’t know how did you find out about images but your are right they stored in DB. I’m still working on this website. I have just create this website to check my basics php skills. I will keep working on it. I will check your feedback probpwerly and I will try to fix it :slight_smile: Thank you again.


#16

If you go to article details for ie one of the cars and view source you will see A LOT of base 64 encoded data which is in an img src attribute. ^^


#17

I’m newbie so I’m still learning :slight_smile: I know you are pro and this kind of website is easy to make for you :slight_smile: p.s I don’t think anyone from Poland in my county will use 4K Monitor. Is it possible that you can send me a screenshot? Can you send it to markwain13@gmail.com
Thank you