LinuxQuestions.org - Preventing MySQL Injections

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Preventing MySQL Injections (https://www.linuxquestions.org/questions/linux-security-4/preventing-mysql-injections-884823/)

carlosinfl

06-06-2011 10:05 AM

Preventing MySQL Injections

I have a database server in my office and it's also exposed to the outside world via web servers that run PHP. I was wondering how can I make sure my server is protected from SQL injections or other commonly SQL level attacks? I want to make sure my data on the server remains secure. I'm not exactly sure what happens when someone does a SQL injection but it sounds like a bad thing.

acid_kewpie

06-06-2011 10:15 AM

Plenty of information about what it is, and what to do about it if you look - http://www.tizag.com/mysqlTutorial/m...-injection.php for example.

Basically, write good code, and don't believe anything a user tells you.

dugan

06-06-2011 10:20 AM

Every SQL statement that takes a parameter should be a prepared statement with bound parameters. You never build SQL queries with string concatenation.

Quote:

Originally Posted by carlosinfl (Post 4377857)

I'm not exactly sure what happens when someone does a SQL injection but it sounds like a bad thing.

Here's one recent testimonal:

http://programmers.stackexchange.com...ite-what-to-do

Hangdog42

06-06-2011 11:31 AM

I know this is a comic, but it is one of the best "explanations" of SQL injections I've seen.

Noway2

06-06-2011 03:20 PM

In addition to the prepared statements, I like to sanitize all input received from the user before before using it any fashion. For example, if you are expecting numerical input, make sure that you only receive a number AND that it is within the expected range. If you are expecting a date or date-time make sure that it is in the proper format AND that it is a valid date. Do not pass anything received from a user directly to your database.

unSpawn

06-06-2011 03:31 PM

...and in addition to that GreenSQL doesn't prevent injections but at least its an IDS approach to getting malicious activity early warnings.

sundialsvcs

06-07-2011 09:12 AM

The "Bobby Tables problem," referred to (and originally inspired by) that comic strip, has another aspect, too: "don't give your web applications any more database privileges than they actually require to do a particular thing." If you are querying records, you shouldn't be using a database-handle that is connected using privileges that allow writing to anything ... nor read-access to anything that does not need to be queried at this time.

Basically, it comes down to being dis-trustful, and programming your applications to do the same thing.

softwarelabus

06-13-2011 02:53 PM

Like others said here, use prepared statement. I've never heard of any security hole with prepared statements.

All times are GMT -5. The time now is 06:26 PM.