SQL Injection

akmal1981

Greetings !

Hi Brad, quoting your comment in my previous thread :

User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors.

errr ... what do you mean by the above sentence ? user supplied data ?

Speaking of prepared statements, note that the mysql extension is severely outdated and has been superseded for some time now; you should consider replacing it with more updated extensions such as MySQLi or PDO.

mysql extension is severely outdated , you mean mysql_real_escape_string ?

Thanks for entertaining noob questions !

akmal1981

for your further information, there will be no upload files / send mail form / user log in / or anyway in that nature in my website.

akmal1981

following my post above, since there will be no upload file / mail form etc in my website, and hence there is no user supply data .

Is my understanding above correct ? If yes, should i still worry about any attack ?

bradgrafelman

akmal1981;10995574 wrote:
errr ... what do you mean by the above sentence ? user supplied data ?

Any data which is provided by the client, the client's browser, etc.

In other words, all data from $GET, $POST, and $COOKIE; most data from $FILES; and some data from $SERVER. Also note if you directly store any from the previous list into a $SESSION variable, then that variable of course would apply here as well.

I'm not sure which one of your previous threads you were referring to, but you were probably using one or more pieces of data from the above (mostly comprehensive?) list.

akmal1981;10995574 wrote:
mysql extension is severely outdated , you mean mysql_real_escape_string ?

No, I mean the entire [man]mysql[/man] extension. In other words, any of the functions that begin with the 'mysql_' prefix.

That library has been superseded by ones such as [man]MySQLi[/man] (the 'i' stands for improved - clever, isn't it?) or [man]PDO[/man].

EDIT: Also, for an introduction to the topic of SQL injection, see the following man page for some light reading: [man]security.database.sql-injection[/man].