- demo asked 4 years ago
- last active 4 years ago
As you can see, people suggest you to use prepared statements at the most. Its not wrong, but when your query is executed just once per process, there would be a slightly performance penalty. I was facing this issue but I think i solved it very very sophisticated way – the way hackers use to avoid using quotes. I use it to prevent all possible sql injection attacks.
My approach:
- if you are expect input to be integer make sure its really integer. In variable-type language like is php is this very important. You can use for example very simple but powerful solution:
sprintf("SELECT 1,2,3 FROM table WHERE 4 = %u", $input); - if you are except anything else from integer hex it. If you hex it, you will perfectly escape all input. In C/C++ there’s a function called mysql_hex_string(), in php use bin2hex(). Dont worry about that the escaped string will have 2x size of its original length because even if you use mysql_real_escape_string or bin2hex, php have to allocate same capacity ((2*input_length)+1). This hex method is often used when you transfer binary data but I see no reason why not use it to all data to prevent sql injection attacks. Note that you have to prepend
0xor use mysql functionUNHEX.
So for example query:
SELECT password FROM users WHERE name = 'root'
Will become:
SELECT password FROM users WHERE name = 0x726f6f74
Perfect escape. No way to inject.
Note that this hex is often used as a sql injection attacks where integers are just like strings and escaped just with mysql_real_escape_string, then you can avoid of use of quotes. For example if you just do something like this:
"SELECT title FROM article WHERE id = " . mysql_real_escape_string($_GET["id"])
attack will very easy inject you. Consider the following injected code returned from your script:
SELECT ... WHERE id = -1 union all select table_name from information_schema.tables
SELECT ... WHERE id = -1 union all select table_name from information_schema.tables where table_name = 0x61727469636c65
But if would the coder of injectable site hex it, no injection would be possible:
SELECT ... WHERE id = 0x2d3120756e696f6e20616c6c2073656c656374207461626c655f6e616d652066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c65203d2030783631373237343639363336633635
NOTE: This answer was originally posted at StackOverflow.com by Zaffy
- Stephen answered 12 years ago
download free Bangla pdf ebooks at freebook.asia
- demo answered 5 years ago
tobre
- demo answered 5 years ago
Here is my answer!
- demo answered 5 years ago
Where can I add images?
- demo answered 10 years ago
lol cat
- demo answered 5 years ago
- risma sofa asked 8 years ago
Sabai Discuss is a premium questions and answers plugin for WordPress. The plugin features the ability for users to ask and answer questions similar to Stack Overflow or Yahoo Answers.
Sabai Discuss is an ideal tool not only for building a community driven question-and-answer website but also for building a discussion forum, a knowledge base, or even a helpdesk portal for WordPress.
- demo answered 5 years ago
- demo asked 6 years ago