tags:

views:

44

answers:

4
Q: 

restrict the scope of variables in a mysql query? with brackets?

I can't remember what the method is meant to be for ensuring the scope of a variable in a query is restricted to prevent mysql injection.

where should i put brackets in the following examples?

UPDATE table SET col_1 = '$var', col_2 = '$var2' WHERE col_1 = '$var3'

and

SELECT * FROM table WHERE WHERE col_1 >= '$var1'

(Obviously looking for answers not using PDO!)

+2  A: 

If you want to prevent SQL injection, use a prepared statement, the MySQL equivalent of a parameterized query.

Example:

$db_connection = new mysqli("myserver", "user", "pass", "db");
$statement = $db_connection->prepare("SELECT thing FROM stuff WHERE id = ?");
$statement->bind_param("i", $id);
$statement->execute();

And yes, that means do use PDO

Randolpho  2010-05-17 16:34:26
ah ok, i must have been mistaken. I thought there was a method for manually parametizing my vars ( equiv of bind_param("i", $id) )
Haroldo  2010-05-17 16:43:55
@Haroldo: Well, I've seen `%d` string format statements being done, but they are a weak hack. Prepared statements and PDO are the *only* way. You're going to have to learn to live with it.
Randolpho  2010-05-17 16:46:06
A: 

Brackets have absolutely nothing to do with preventing SQL injections.

I could give you an answer using mysql_*() functions, but I won't.

If you want to be a programmer, you have to learn best practices. Saying "Obviously looking for answers not using PDO!" is ridiculous and you have a terrible attitude to go for the simple route.

Coronatus  2010-05-17 16:34:27
Thank you Coronatus, however from my research in this instance PDO would not be appropriate, i specifically put 'not PDO answers' because there are PLENTY of PDO discussions already on stackoverflow!
Haroldo  2010-05-17 16:40:03
@Haroldo: PDO is very appropriate! Why would it *not* be?
Randolpho  2010-05-17 16:44:59
I did lots of reading about it here on SO yesterday and go the impression that id you weren't reusing the obect PDO was not advised. are there any instances when PDO should not be used then?
Haroldo  2010-05-17 16:49:14
No. Always use PDO. It will make your code more secure (actually, you will never need to worry about SQL injection again), more OO, and just look more "good" :)
Coronatus  2010-05-19 19:55:20
+1  A: 

Brackets have nothing to do with scope and scope has nothing to do with preventing SQL injection.

If you are restricted from using PDO and mysqli, you can prevent injection by escaping your data with mysql_real_escape_string:

$sql = "UPDATE table SET col_1 = '".mysql_real_escape_string($var)."'";
webbiedave  2010-05-17 16:34:40
Use a prepared statement, *not* any `escape_string` variant
Randolpho  2010-05-17 16:36:15
And if prepared statements are unavailable to him? That's what my question addresses.
webbiedave  2010-05-17 16:38:05
@webbiedave - When would PDO ever be not available?
Coronatus  2010-05-17 16:39:48
Scope does have to do with SQL injection, especially with register_globals.
Marcus Adams  2010-05-17 16:40:58
prepared statements and PDO have been around for more than 5 years. The odds of neither being available are very low.
Randolpho  2010-05-17 16:44:11
@Coronatus, Randolpho: I'm on a project now where PDO is unavailable to me. @Marcus Adams: My point was that just because a variable is not global doesn't mean it's immune to injection.
webbiedave  2010-05-17 16:44:59
@webbiedave: you are using PHP4 and are unable to get the owners to upgrade? Push for the upgrade, man.
Randolpho  2010-05-17 16:46:59
@Randolpho: I have and succeeded. But they won't do it for 6 months. It's the best I could do lol!
webbiedave  2010-05-17 16:48:13
@Marcus Adams - register_what?
Coronatus  2010-05-17 17:13:45
A: 

As far as scope affecting SQL injection, I think you're talking about the PHP register_globals, setting. Ensure it's off.

Register globals basically allows a user to create a global variable simply by passing in a parameter to a GET or POST. So, if you're using a global variable in your SQL access, and the user can guess your variable, they can inject code by setting the value.

Brackets have nothing to do with scope in PHP, however.

Take a look at the following to avoid SQL injection:

  • Server side validation
  • PHP filters
  • SQL Escaping
  • Parametrized Queries

You should be doing all four.

Marcus Adams  2010-05-17 16:45:23

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL