PHP Security - Avoid SQL Injection

Asked

Viewed 331 times

1

It’s wrong or unsafe to use:

if ($_SERVER['REQUEST_METHOD'] === 'POST') {

        foreach ($_POST as $key => $value) $$key = $value;
   ...
}

Let’s say I have this code, but use a Procedure call with prepare on variables. I run some risk of attack by Sql Injection?

Being a little more specific, my problem is in:

foreach ($_POST as $key => $value) $$key = $value;

I have an analysis and security report on my system saying that this is a serious flaw of SQL Injection. Even if I’m using PDO and prepare after that!

php sql-injection

  • Hello @Renan the answers on this link are good. But I already run these practices and msm so my system is seen as veranenenenevel just by this snippet of code shown above!

  • 2

    Use filter_input and be happy!

  • If you have a specific problem, you should post it in detail to anyone who can help you. So generic has already been answered.

  • 1

    Use PDO and Prepared statements, and be happy (2)

  • 1

    @Rodrigosartorijarouche unfortunately this is not enough. Because already use PDO and Prepared and thought that would be enough to be 100% safe. But find q there are more things to worry about!

  • @Alan uses The Prepared statements + filter_input

  • uses filter_input together, you’re right I also thought enough and is not...

Show 2 more comments

1 answer

0

Yes, your method is susceptible to sql Injection.

First I would like to do php in brute force to go to a framework like Zend Framework or the simplest ones like Codeigniter this way you care more about what your code should do than how security should be done. Well if you want to do everything for the native I’d go with the method filter_input (INPUT_POST , sua_variable) which is much safer than $_post['variable'] or that your method after all it already checks if it exists and makes some filters for you as well as it is possible to add options making it useful, for more information look at the website of php or the link exemplifying how to use it.

  • Thanks for your attention @Gustavo Castro. But in this publication had a reply q also recommended the use of INPUT_POST. However, the other users said that this does not solve the problem and negatively affected it. Thus the owner of the answer ended up excluding the same!

Browser other questions tagged php sql-injection

You are not signed in. Login or sign up in order to post.