Best ways of stopping sql injections? [duplicate]
This question already has an answer here:
How can I prevent SQL injection in PHP? 26 answers
Thanks to everyone for your help in advance. I am trying to learn mysql, I
was going to set up a database to practice with but I was on here reading
and looking for examples, and kept seeing people saying they where going
to get a sql injection. I have been reading about this for a while now,
and I'm getting more confused the more I read. I have decided to go with
PDO to prevent this. Even though from what I read it's the prepared
statements that makes it safe, and I will still have to whitelist it. My
question is if someone can give beginners like myself a set up we can use
that will be pretty effective at stopping these attacks. From what I
understand it seems almost imposable to stop them, I seen someone say
something about the dns is the only sure way. I would like to learn do
this the right way even though, I probably don't need to so much security
right now. If I'm not wrong they can still use blind injections even if
you use PDO, if so i was think of adding a delay of 2-5 seconds or
something like that. Idk if that would be to much on the user end, I'm
just learning, and have no real world experience. Also the type of things
I will be doing, will probably be very basic for now... mom a pop type
stuff. If I build someone a site with a user name and pass I don't want
them to get these attacks, I just don't like it. So if it is a little slow
but more secure I would like to be at least able to give them that option.
My thinking is to be really annoying to them and hopefully not be worth
it. From what I read also the length of the table names or user names can
make it harder for them, say using phrases instead of just 6-8 letters.
Also I think least privilege will help as well, but there seems there is
always a way around everything, and if your new and don't know exactly
what your doing, your going to vulnerable. I have copyied code from
somewhere that I was going to fit it for my needs, but I really have not
tried to put together what I'm looking for yet, still in the reading and
learning phase.
<?php
require_once "dBug!.php";
$dsn = "mysql:host=";
$user_name = "";
$pass_word = "";
$connect = new PDO($dsn, $user_name, $pass_word);
$sql = "SELECT * FROM books WHERE id <= 10";
$result = $connect->prepare($sql);
$status = $result->execute();
if (($status) && ($result->rowCount() > 0))
{
$results = array();
while ($row = $result->fetch(PDO::FETCH_ASSOC))
{
$results[] = $row;
}
new dBug($results);
}
$connect = null;
?>
No comments:
Post a Comment