srini_ellis — 2014-07-02T09:00:02-04:00 — #1
I have a requirement in one of my clients project (which is a PHP & MYSQL based website) to prevent sql injection attack. Below is the requirements. Is it possible ? If so how ?
"SQL Injection remediation needs to be done without changing the data that is saved in any way. This means we won't accept escape characters in the data. So, if I view the data directly using phpmyadmin or some other third party tool, I would need to see the data as it was entered, no backslases, single quotes, etc."
Thanks in advance for spending your precious time & help.
kylewolfe — 2014-07-02T09:17:06-04:00 — #2
As long as you are using properly prepared PDO statements (with parameters), this is enough to prevent SQL injection.
srini_ellis — 2014-07-02T09:24:16-04:00 — #3
If we use prepared PDO statement (with parameters), will it store the data with single quotes without escaping with backslash ?
kylewolfe — 2014-07-02T09:40:08-04:00 — #4
srini_ellis — 2014-07-02T09:44:00-04:00 — #5
kylewolfe — 2014-07-02T09:48:41-04:00 — #6
I'm sorry, I'm a little out of it this morning. It will not escape your data.
felgall — 2014-07-02T15:26:54-04:00 — #7
It doesn't need to escape your data - the data is kept completely separate so as to not need escaping.
As long as the SQL and data are in separate commands there is no possibility whatsoever of injection of SQL in the data resulting in that SQL running. If it is data then it gets processed as data.
Injection is only possible when you have code and data jumbled together and rely on escaping to tell which is which..