Woolie
Member
- Messages
- 862
- Reaction score
- 0
- Points
- 16
Thought I'd write up an article explaining the risks of SQL injections and how to prevent them. Useful if you're developing database driven applications.
Clicky Here
Clicky Here
Preventing SQL Injections with PHP
- Thread starter Woolie
- Start date
- Messages
- 18,169
- Reaction score
- 216
- Points
- 63
Now THIS'll come in handy for me - theres a systems project a group is working on for my college (I'm in that group actually). Granted, the users able to access the system aren't going to be doing this stuff anyways but I'm still gunna code against it 
Thanks ^_^
Edit: Hey, quick question: Could this also be countered by changing the SQL users privileges so all they can do is select statements? I mean, they can't delete something if the user that they're logging in as can't use a delete statement, right?
Thanks ^_^
Edit: Hey, quick question: Could this also be countered by changing the SQL users privileges so all they can do is select statements? I mean, they can't delete something if the user that they're logging in as can't use a delete statement, right?
Last edited:
Woolie
Member
- Messages
- 862
- Reaction score
- 0
- Points
- 16
Thats correct yes, you can modify the permissions for a the user and this will prevent them from causing harm. This is a perfectly good way of doing things, and in production servers, it is recommended. However it can cause problems for the administration system for the site as you can't delete or modify records. The way to get around this is to have another field in the tables (for example a posts table) that is a boolean value "deleted". Then when you want to delete a field from in the application, you simply set that value to true, and when displaying the records, don't show any with the deleted field set to true.
I personally prefer to defensively code against SQL injection attacks because its just good practice and means that when people install your application they don't have to worry about setting up separate user accounts with specific privileges.
Its personal preference, but yes you can user permissions.
I personally prefer to defensively code against SQL injection attacks because its just good practice and means that when people install your application they don't have to worry about setting up separate user accounts with specific privileges.
Its personal preference, but yes you can user permissions.
- Messages
- 18,169
- Reaction score
- 216
- Points
- 63
Killer, means I dun need to recode my website for the 400th time
The system for college I do need to do your thing with though, I already know that even though the server is using users, they're also all set to "all privileges." If you've taken so much as one class there you could destroy the whole site :S
The system for college I do need to do your thing with though, I already know that even though the server is using users, they're also all set to "all privileges." If you've taken so much as one class there you could destroy the whole site :S