What are the differences when including values (coming from a form for example), in a query mounted in PHP and executed in MYSQL, among the forms below?

Asked

Viewed 56 times

0

I have studied and seen that there are different ways of treating data before inserting them into a query which is executed in the database.

I have some questions about security and the issue of preventing some attacks like SQL Injection, etc...

I use some forms, much for recommendation, but without understanding why.

I would like to know the risks and the most recommended form among the 4 examples below.

OBS: I used SELECT in the examples, but could be a INSERT also.

1st form:

<?php

  $nome = $_POST['nome'];
  $senha = $POST['senha'];  

  $query = "SELECT * FROM tb_usuarios WHERE nome = '$nome' AND senha = '$senha'";

?>

second form:

<?php

  $nome = filter_input(INPUT_POST, 'nome', FILTER_SANITIZE_STRING);
  $senha = filter_input(INPUT_POST, 'senha', FILTER_SANITIZE_STRING);  

  $query = "SELECT * FROM tb_usuarios WHERE nome = '$nome' AND senha = '$senha'";

?>

3rd Form:

Suppose this code is within a class method and the name and password attributes are privates

<?php

  $query = "SELECT * FROM tb_usuarios WHERE nome = :nome and senha = :senha";

 $stmt = $this->conexao->prepare($query);
 $stmt->bindValue(':nome', $this->__get('nome'));
 $stmt->bindValue(':senha', $this->__get('senha'));
 $stmt->execute();

?>

4th Form:

Suppose this code is within a class method and the name and password attributes are privates

<?php

  $nome = $this->__get('nome');
  $senha = $this->__get('senha');

  $query = "SELECT * FROM tb_usuarios WHERE nome = :nome and senha = :senha";

  $stmt = $this->conexao->prepare($query);
  $stmt->bindParam(':nome', $nome);
  $stmt->bindParam(':senha', $senha);
  $stmt->execute();

?>
php mysql sql

  • Thiaguinho, this addition that asked the question has no relation to all the rest of it and given that the original question has already been answered, I suggest you open a new question treating this other question.

1 answer

2


1st form:

Completely insecure, is prone to attack SQL Injection. Takes data directly as PHP natively delivers what comes from outside and uses in query.

2nd form:

It cleans up the contents of the variables cited, according to one criterion, but it is very basic, only cleans some absurdities. It can be useful and often should be complementary to other types of protection, because it cleans different things, it is not to clean SQL, only strings ill-formed. Almost everyone cares about cleaning up just one kind of problem and this is wrong, although it can cause fewer problems. This technique is useful for cleaning but not to combat SQL Injection.

3rd Form:

Here does not clean up these absurdities but uses an API that is prepared to handle external content more securely, at least will not occur SQL Injection.

There’s obviously a difference that it’s not taking the data input directly, but rather an object that’s already done this somehow. If he cleans something else and gets it right we have no way of knowing. We can’t even be sure that he picks up any external data. Nor can we know if __get() should be used there, almost every time I see it I wonder if I shouldn’t have used a array even simple associative, who knows even the already created by PHP as done before.

If there is any doubt whether being in a class is better or safer, it is almost certain that no, has the potential to be worse, depends on what the person does.

4th Form:

The same here, the difference is that used variables before, generally unnecessary because the only advantage is to be slightly faster, in a language that is not fast in an operation that is slow, so it makes no real difference.

Browser other questions tagged php mysql sql

You are not signed in. Login or sign up in order to post.