Preventing SQL Injection in dynamic SQL

2018-07-03 17:32:54

I asked this question earlier Preventing SQL Injection in dynamical SQL, but was not clear which resulted in the question being closed, and was later told in the comments that I should ask the question again.

A requirement of my PHP/MySQL application is to allow all users to create their own multiple "views" of the data. These views are not traditional SQL views, but performed by the application.

For instance, the user could create a view and provide the following criteria:

Name of the view.

Desired records per page.

Which columns to display by using a dropdown menu.

Any filters for the results. A first dropdown menu is used to select the column, a second dropdown menu is used to select the operator (equals, not equal, greater than, etc), and then either a third dropdown menu is used to select the value to be matched or the user directly enters the value to be matched.

Whether the records should be grouped on a given column.

Based on the user's selection, various tables might need to be joined to the query to support the select, where, and group by clauses, and the application is used to eliminate duplicate table joins should they exist.

After the user has finished configuring their views, there is a dropdown menu which allows them to select their desired view, and the appropriate results are displayed.

I have implemented this functionality by storing the user's selections in several tables, and also storing the resultant query (actually, I store individual sections of the query in various columns so I may count the total results in an initial query and return the correct number of results in a second query) in a SQL table. Note that I am storing the user's selections only so that I can allow them to edit their view requirements, and not to create the resultant query on the fly (more on this later).

I recognize that I have to be very careful as doing this can be prone to SQL injunction. For instance, I can't just escape the user's input using PDO and store it in the database, and then later retrieve the data and use it in a query since when it is retrieved, it is no longer escaped.

To combat this risk, I limit user input to integers wherever possible, and typecast them where possible. Where user inputs are percents and dollars, I multiply by 100, typecast the resultant as an integer, and then divide by 100 before storing it. A couple of the filters require text as the value in the WHERE clause, and as stated earlier, escaping the data is not enought, and instead I am using $user_input= preg_replace('/[^a-z0-9,]/i', '', $_POST['user_input']); to make safe.

Is this an accepted method to implement this functionality? Is there an easier way to ensure the user input is safe? My earlier post Preventing SQL Injection in dynamical SQL indicated that this type of practice should never be attempted, however, I don't know how else to do it. Are there any other steps I should take to prevent injection?

Or maybe I should not create a query and store it in a table when the user saves his view configuration, but create the query on the fly using the user's saved values each time the user selects a given view. This would have a negative performance impact and add complicity but I suppose I can do it. Would you recommend using this strategy?

Thank you

Hello I get you I think.

This is what you are looking for: http://www.php.net/manual/en/function.addslashes.php

$safestring=mysql_real_escape_string($_POST['user_input']);
$safestring=addslashes($safestring);

If you want to make it even more safer, that is the user cannot input html in the input, use this function after using the above one (ie mysql_real_escape_string)

$safestring=htmlspecialchars($safestring);

Now all your use input will stay as it is, if string is "user's input" it will stay as "user's input" and not change to "users input", so nothing is being replaced, and its still safe.

Regards.

链接地址: http://www.djcxy.com/p/93968.html

上一篇: 如何从下拉列表中获取选定的值并将其传递给sql查询

下一篇: 在动态SQL中防止SQL注入