/    Sign up×
Community /Pin to ProfileBookmark

Is this safe from SQL injection?

Copy linkTweet thisAlerts:
Feb 22.2014

//GET PARAMS

[CODE]if (isset($_GET[‘filter’])) {$filter = $_GET[‘filter’];} else {$filter = “Customer”;}
if (isset($_GET[‘terms’])) {$terms = $_GET[‘terms’];} else {$terms = null;}[/CODE]

//WHITELIST

[CODE]$filter_whitelist = $sort_whitelist = array(“Customer”, “Web”, “Tax_ID”);
$dir_whitelist = array(“asc”,”desc”);[/CODE]

//ENFORCE WHITELIST

[CODE]if(!in_array($filter, $filter_whitelist)) {die(“Invalid filter type.”);}
if(!in_array($sort, $sort_whitelist)) {die(“Invalid sort type.”);}
if(!in_array($d, $dir_whitelist)) {die(“Invalid direction.”);}[/CODE]

//QUERY

[CODE]$stmt = $db->prepare(“SELECT customers.ID, customers.Customer, customers.Size, customers.Status, customers.Web, customers.Contact_Email, resellers.Reseller, distributors.Distributor FROM customers INNER JOIN resellers on customers.Reseller=resellers.ID INNER JOIN distributors on resellers.Distributor=distributors.ID WHERE customers.Status=’Prospect’ AND $filter LIKE :terms ORDER BY $sort $d LIMIT :page, 18”);
$stmt->bindValue(‘:page’, $page, PDO::PARAM_STR);
$stmt->bindValue(‘:terms’, $query_terms, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll();[/CODE]

to post a comment
PHP

2 Comments(s)

Copy linkTweet thisAlerts:
@BezzzZFeb 24.2014 — It seems safe,

a few small tips though :

trim your inputs (it is a personal thing, but I have found it has saved me many headaches):
<i>
</i>if (isset($_GET['filter'])) {$filter = trim($_GET['filter']);} else {$filter = "Customer";}
if (isset($_GET['terms'])) {$terms = trim($_GET['terms']);} else {$terms = null;}


have separate white lists (in future they may not be the same)
<i>
</i>$filter_whitelist = = array("Customer", "Web", "Tax_ID");
$sort_whitelist = array("Customer", "Web", "Tax_ID");


rather than killing the process for invalid input, rather use your defaults
<i>
</i>if(!in_array($filter, $filter_whitelist)) {$filter = "Customer";}
if(!in_array($sort, $sort_whitelist)) {$sort = "Customer";}
if(!in_array($d, $dir_whitelist)) {die($d = "asc";}


you are using PDO, so let it do the work on your input variables for you :
<i>
</i>$stmt = $db-&gt;prepare("SELECT customers.ID, customers.Customer, customers.Size, customers.Status, customers.Web, customers.Contact_Email, resellers.Reseller, distributors.Distributor FROM customers INNER JOIN resellers on customers.Reseller=resellers.ID INNER JOIN distributors on resellers.Distributor=distributors.ID WHERE customers.Status='Prospect' AND filter_1_column_name LIKE ? AND filter_2_column_name LIKE ? ORDER BY ? ? LIMIT :page, 18");
$stmt-&gt;execute(array($filter,$filter_2_value,$sort,$d);
$rows = $stmt-&gt;fetchAll();
Copy linkTweet thisAlerts:
@NogDogFeb 24.2014 — As far as SQL injection is concerned, the only part of all of that which means anything is where you use bound parameters in your prepared statement. Doing that as you are for any external values will take care of this issue -- everything else is application-specific as to how you want to filter or not filter inputs for other (non-SQL-related) reasons.
×

Success!

Help @018125 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...