Member Avatar for kbjustin

I am interning at a company and they have had me build a simple website which basically displays a list of their servers and they update entries, create new entries and so on. I am new to php and mysql and just web design in general. My question is do I really need to prevent against an SQL injection attack. The login to the site does not use SQL and i am using mysqli_query which will only allow one statement to be executed. And trying to do something where you make the where clause always true doesnt really do anything because once your on the site you can we the entire database anyway. As I said I am new to all this so do I need to prevent an SQL injection attack in my case?

  • 4 Contributors
  • 7 Replies
  • 156 Views
  • 20 Hours Discussion Span
  • Latest Post Latest Post by paradox814

Recommended Answers

All 7 Replies

Member Avatar for SKANK!!!!!

i dont know what msqli_query is but mysql_query i usually use mysql_real_escape_string($var) if its posted from a form using get or post. and the preg_replace() function

Member Avatar for kbjustin

mysqli is just another way of using mysql with php, its supposed to be better than just using the mysql commands but i dont really know the difference. Should have specified a little more, i know of the mysql_real_escape_string function but what i am asking is can anyone really do damage to my site from an attempted sql injection attack if mysqli_query will only execute one statement, a user cant enter drop table and try to cause a table to be deleted. As i said im new to this and wanted to know if i really need to protect against an sql injection attack on my site?

Member Avatar for SKANK!!!!!

oh i dont know about the mysqli. i dont know if people can inject with that this webpage says: "The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement.
" does that mean its unnecesary to use mysql and to just use mysqli?

Member Avatar for kbjustin

well im using the object-oriented style so it looks like im safe. thanks for the help

Member Avatar for TommyBs

Although mysqli has benefits in preventing SQL injection I would still say it is good practise to make sure you check that any data is in a format you would expect it to be. Get into these principles early, the server you're working on now may be great and use a number of technologies to make things easier for you now but what happens when you move on? Learn best practices now and carry them with you wherever you go :)

Member Avatar for paradox814

I think the safe bet is to say there's always going to be someone who figures out a way around any security setting. Then the question is how often does your hosting company update it's PHP server? And honestly, do you want to be caught completely off guard. Or what about when you bring another programmer on board and he slips up and uses a mysql_query instead? I think the best bet is to take the high road and protect yourself as much as you can ESPECIALLY when it comes to database queries. Personally I never let ANY data hit my database that hasn't gone thru a regular expression. Yeah, fine, that might be overkill, but honestly I don't care, I'm just paranoid like that.

whoops, what does the following do in mysqli (at least according to the link that was posted above?)

SELECT * FROM a_table WHERE something = ".$_var.";
and $var= ";DROP TABLE a_table;";"
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.